https://community.cisco.com/t5/network-access-control/aaa-authentication-problem/m-p/695852#M422285 <P>I've setup my AAA config as follows "aaa authentication login default group tacacs+ enable". When I test config with SSH (ACS turned off)to the router I cannot login using the enable password. The same does not work when trying to connect with Con0. How can I correct this problem. Forum help is much appreciated, thanks all.</P><P> </P><P></P><P> </P><P></P> Sun, 10 Mar 2019 21:52:36 GMT ms4561 2019-03-10T21:52:36Z https://community.cisco.com/t5/network-access-control/aaa-authentication-problem/m-p/695852#M422285 <P>I've setup my AAA config as follows "aaa authentication login default group tacacs+ enable". When I test config with SSH (ACS turned off)to the router I cannot login using the enable password. The same does not work when trying to connect with Con0. How can I correct this problem. Forum help is much appreciated, thanks all.</P><P> </P><P></P><P> </P><P></P> Sun, 10 Mar 2019 21:52:36 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-problem/m-p/695852#M422285 ms4561 2019-03-10T21:52:36Z https://community.cisco.com/t5/network-access-control/aaa-authentication-problem/m-p/695853#M422286 <HTML><HEAD></HEAD><BODY><P>You have authorization only with tacacs+, can you try following command</P><P>aaa authorization exec default group tacacs+ none </P><P>M.</P><P></P></BODY></HTML> Wed, 13 Dec 2006 07:19:47 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-problem/m-p/695853#M422286 m.sir 2006-12-13T07:19:47Z https://community.cisco.com/t5/network-access-control/aaa-authentication-problem/m-p/695854#M422287 <HTML><HEAD></HEAD><BODY><P>I agree that the configuration of aaa authentication login looks ok (I would probably use line as the alternative method instead of enable - but it should work with either) and that the issue is the configuration of authorization:</P><P>aaa authorization exec default group tacacs+ </P><P>this provides no alternative method. And I suspect that if you look carefully at the error message when you attempt to login without TACACS the error is actually about authorization rather than about authentication. The suggestion of:</P><P>aaa authorization exec default group tacacs+ none </P><P>should be ok. I have used this way with success:</P><P>aaa authorization exec default group tacacs+ if-authenticated</P><P></P><P>HTH</P><P></P><P>Rick </P></BODY></HTML> Wed, 13 Dec 2006 18:03:53 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-problem/m-p/695854#M422287 Richard Burts 2006-12-13T18:03:53Z