topic Re: Privilege mode authentication using Tacacs for Cisco Routers in Network Access Control

Privilege mode authentication using Tacacs for Cisco Routers

uzmausmani — Mon, 11 Mar 2019 00:28:09 GMT

I am trying to set up a test environment where I need to be able to be asked for both a username and password while entering enable mode from exec mode on a cisco IOS router. I was told the only way to do that is through Tacacs. But I've not seen any such configuration options on Tacacs in order to set it up right. Has someone ever did a setup like this before. I would appreciate any help on this. Thanks.

Re: Privilege mode authentication using Tacacs for Cisco Routers

aneelaka — Tue, 05 Oct 2010 22:19:03 GMT

when the aaa authentication enable default group tacacs+ command or the aaa authentication enable default group command that points towards a TACACS+ server group is configured authentication happens using username $enab15$, so you dont get the username prompt only the password prompt.

https://supportforums.cisco.com/docs/DOC-4317;jsessionid=0AD3918732307A3063A5650DC50908C9.node0

Re: Privilege mode authentication using Tacacs for Cisco Routers

uzmausmani — Wed, 06 Oct 2010 17:25:22 GMT

I do realise that but that doesnt solve my problem. I have a customer who has this environment where the cisco IOS router prompts for a username

and password upon entering enable mode. I'm trying to replicate that test environment. If the router accepts a default username from Tacacs that doesnt create the setup I'm looking to establish. Is there is way to setup Tacacs to prompt for a username and password instead of using the default one?

Re: Privilege mode authentication using Tacacs for Cisco Routers

aneelaka — Wed, 06 Oct 2010 18:07:54 GMT

Make sure your IOS upgraded to the latest version and try the below config:

aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+

tacacs-server host 10.76.86.85
tacacs-server directed-request
tacacs-server key cisco123

line vty 0 4
login authentication default

On ACS server under the user specify the enable password

Re: Privilege mode authentication using Tacacs for Cisco Routers

uzmausmani — Wed, 06 Oct 2010 20:55:07 GMT

I tried that. It wouldnt even give me a login prompt on telnet. It just connected and after throwing me the start banner.. after a certain time it timed out..never even asked me a login.?

Re: Privilege mode authentication using Tacacs for Cisco Routers

uzmausmani — Thu, 07 Oct 2010 16:06:41 GMT

Okay..now I've gotten it to where its asking me for username password for exec level..but it still only asks me enable password..still doesnt ask me for username when I try to get into enable mode...Is there any group setting I need change in order to accomplish that?

Re: Privilege mode authentication using Tacacs for Cisco Routers

aneelaka — Thu, 07 Oct 2010 17:37:10 GMT

now for the password prompt you need to enter the enable password you entered in the ACS user setup, ena

ble password. Also you can turn on debug aaa authentication and debug tacacs to see more de
tails.

Re: Privilege mode authentication using Tacacs for Cisco Routers

uzmausmani — Thu, 07 Oct 2010 19:04:58 GMT

I'm still confused. I dont know how to get it to throw the prompt for "username" at me when I try to enter enable mode. Did I miss something here?

Re: Privilege mode authentication using Tacacs for Cisco Routers

jedubois — Thu, 07 Oct 2010 20:20:20 GMT

Hello,

To clear up some confusion here can you post the full show run from your device minus the interface/acl configuration for brevity please.

--Jesse

Re: Privilege mode authentication using Tacacs for Cisco Routers

uzmausmani — Thu, 07 Oct 2010 20:29:12 GMT

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service compress-config

hostname 2621-3

boot-start-marker

boot system flash c2600-i-mz.123-26.bin

boot-end-marker

logging buffered 5001 debugging

no logging console

no logging monitor

enable password cisco

memory-size iomem 10

clock timezone CST -7

clock summer-time CST recurring

aaa new-model

aaa authentication login default local

aaa authentication enable default group tacacs+

aaa authorization exec default group tacacs+ local

aaa session-id common

ip subnet-zero

ip cef

no ip domain lookup

ip domain name int.voyence.com

ip name-server 192.168.21.5

!key chain jetef

key 10

key-string c1sco

modemcap entry ZOOM

username jeff password 0 jeff

tacacs-server host 192.168.21.230 key cisco
tacacs-server host 10.6.230.32
tacacs-server directed-request
tacacs-server key dakey
line con 0
exec-timeout 15 0
logging synchronous
speed 115200
line aux 0
exec-timeout 15 0
password 7 104D000A0618
logging synchronous
modem InOut
modem autoconfigure discovery
terminal-type monitor
transport input all
stopbits 1
flowcontrol hardware
line vty 0 4
exec-timeout 15 0
password cisco
private
logging synchronous
!

Re: Privilege mode authentication using Tacacs for Cisco Routers

jedubois — Thu, 07 Oct 2010 20:36:38 GMT

Why are you trying to do local authentication to the router but TACACS+ authentication to the enable prompt?

You will not be prompted for a username when going into the enable prompt, in IOS when going into enable it will use the username you are currently logged in as and prompt for a password only.

I would suggest going with both exec and enable authentication using TACACS+ in this case as previously suggested:

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

--Jesse

Re: Privilege mode authentication using Tacacs for Cisco Routers

uzmausmani — Thu, 07 Oct 2010 20:45:56 GMT

I had done that before but it wasnt working. Okay..I tried it again and still no luck. It doesnt prompt me for username again

on entering enable mode.

AUTHENTICATION REQUIRED

Username: uzma
Password:

=============================================================================
= REMINDER: All activities on this device are monitored =
= *** All changes MUST be approved prior to execution *** =
=============================================================================

2621-3>en
Password:
2621-3#

Re: Privilege mode authentication using Tacacs for Cisco Routers

jedubois — Thu, 07 Oct 2010 20:53:59 GMT

This is correct, as I stated in my previous post you can no accomplish what you are trying to do. In IOS the username you use to log in

to the router is ALWAYS used when you enter enable mode. If you want to change the user you are logged in as you will need to log out of the

router and log back in with the correct user.

--Jesse

Re: Privilege mode authentication using Tacacs for Cisco Routers

uzmausmani — Thu, 07 Oct 2010 20:58:30 GMT

hmm..so you're saying what I'm trying to setup isnt possible? I'll check with

the customer as to how they have set this up. Thanks.