https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121197#M438509 <HTML><HEAD></HEAD><BODY><P>Hello:</P><P></P><P>A while back you had asked for assistance regarding setting up TACAS to the router logins to skip over to enable mode. I am currently trying to get this to work myself. Would it be possbile for you to post your working configuration (minus passwords of course), on the Cisco site? Also, any comments regarding what you had to do on the CiscoSecure site would be useful as well. </P><P></P><P>Thank you in advance.</P></BODY></HTML> Mon, 03 Feb 2003 19:19:46 GMT ed.daly 2003-02-03T19:19:46Z https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121189#M438501 <P> I'm trying to config a 12.0(5.1)XP 2900XL IOS switch to automatically go into enable mode once authenticated, without having to enter "enable." I'm running ACS3.1. Her is the AAA config:</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local-case</P><P>aaa authentication login LOCAL local-case none</P><P>aaa authentication enable default group tacacs+ enable</P><P>aaa authorization exec default if-authenticated group tacacs+</P><P>aaa authorization commands 0 default local group tacacs+ if-authenticated</P><P>aaa authorization commands 15 default local group tacacs+ if-authenticated</P><P>aaa accounting update newinfo</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting exec LOCAL start-stop group tacacs+</P><P>aaa accounting commands 0 default start-stop group tacacs+</P><P>aaa accounting commands 0 LOCAL start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>aaa accounting commands 15 LOCAL start-stop group tacacs+</P><P>aaa accounting system default start-stop group tacacs+</P><P></P><P></P> Sun, 10 Mar 2019 14:05:36 GMT https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121189#M438501 gamoore 2019-03-10T14:05:36Z https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121190#M438502 <HTML><HEAD></HEAD><BODY><P>If you assign privilege level 15 to the user or group, EXEC authorization takes care of this with the service=shell, set-priv-lvl=15 Attribute Value Pair.</P><P></P><P>You have aaa authorization exec configured correctly, assign priv 15 and see if it works. If you do have it assigned and it is not working, let us know, there are some other issues that may be causing this....</P><P></P><P></P></BODY></HTML> Thu, 02 Jan 2003 13:50:05 GMT https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121190#M438502 4brown 2003-01-02T13:50:05Z https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121191#M438503 <HTML><HEAD></HEAD><BODY><P> I set the Service=shell and Privlege Level=15 on both the users and group levels areas of the ACS, and neither did the trick.</P></BODY></HTML> Fri, 03 Jan 2003 04:22:57 GMT https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121191#M438503 gamoore 2003-01-03T04:22:57Z https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121192#M438504 <HTML><HEAD></HEAD><BODY><P>I forgot to mention that I'm using ACS for WIndows.</P></BODY></HTML> Fri, 03 Jan 2003 05:31:55 GMT https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121192#M438504 gamoore 2003-01-03T05:31:55Z https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121193#M438505 <HTML><HEAD></HEAD><BODY><P>Does it work on vty (telnet) sessions and not the console? If so, try:</P><P></P><P>aaa authorization console</P><P></P><P></P></BODY></HTML> Fri, 03 Jan 2003 10:59:10 GMT https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121193#M438505 4brown 2003-01-03T10:59:10Z https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121194#M438506 <HTML><HEAD></HEAD><BODY><P>It doesn't work on vty connections. Before I added the ACS server, it was working on vty connections using local username and password authentication with the following AAA config.</P><P></P><P>hostname s1-carson</P><P>!</P><P>aaa new-model</P><P>aaa authentication password-prompt Password:</P><P>aaa authentication username-prompt Username:</P><P>aaa authentication login default local-case enable</P><P>aaa authorization exec default local none</P><P>aaa authorization commands 15 default local none</P><P>enable secret 5 ***** Text Removed *****</P><P>!</P><P>username ** removed ** psnet privilege 15 password 7 ** removed **</P><P>!</P><P>!</P><P>!</P><P>!</P><P>line con 0</P><P> transport input none</P><P> stopbits 1</P><P>line vty 0 4</P><P> length 25</P><P>line vty 5 15</P><P>!</P><P></P><P></P></BODY></HTML> Sat, 04 Jan 2003 22:58:06 GMT https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121194#M438506 gamoore 2003-01-04T22:58:06Z https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121195#M438507 <HTML><HEAD></HEAD><BODY><P>Try changing:</P><P></P><P>aaa authorization exec default if-authenticated group tacacs+ </P><P></P><P>to:</P><P></P><P>aaa authorization exec default group tacacs+ none</P><P></P><P>I think the if-authenticated is being used instead of the TACACS server attributes cause you have it first. In fact, the TACACS server will never be used for authorization with your current setup because the "if-authenticated" will always be used first and will never fail (unless authentication fails first). </P><P></P></BODY></HTML> Mon, 06 Jan 2003 02:42:34 GMT https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121195#M438507 gfullage 2003-01-06T02:42:34Z https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121196#M438508 <HTML><HEAD></HEAD><BODY><P>Thanks that did the trick!!!</P></BODY></HTML> Tue, 07 Jan 2003 08:16:47 GMT https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121196#M438508 gamoore 2003-01-07T08:16:47Z https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121197#M438509 <HTML><HEAD></HEAD><BODY><P>Hello:</P><P></P><P>A while back you had asked for assistance regarding setting up TACAS to the router logins to skip over to enable mode. I am currently trying to get this to work myself. Would it be possbile for you to post your working configuration (minus passwords of course), on the Cisco site? Also, any comments regarding what you had to do on the CiscoSecure site would be useful as well. </P><P></P><P>Thank you in advance.</P></BODY></HTML> Mon, 03 Feb 2003 19:19:46 GMT https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121197#M438509 ed.daly 2003-02-03T19:19:46Z https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121198#M438510 <HTML><HEAD></HEAD><BODY><P>This is part of EXEC authorization when the user logs in:</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authorization exec default group tacacs+ local </P><P>tac server <IP address=""> key <KEY></KEY></IP></P><P></P><P>username foo privilege 15 password bar</P><P></P><P>Assign the user or group privilege level 15 and away you go. You can use your local account if the connection to the tac+ server goes down or you receive an error for things like a key mismatch.</P><P></P><P>There are oodles of examples on cisco.com. Here is a good reference:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Internetworking:Tacacs_plus&amp;s=Implementation_and_Configuration" target="_blank">http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Internetworking:Tacacs_plus&amp;s=Implementation_and_Configuration</A></P><P></P><P></P><P></P><P></P><P></P></BODY></HTML> Wed, 05 Feb 2003 01:11:03 GMT https://community.cisco.com/t5/network-access-control/enable-mode-with-aaa-acs/m-p/121198#M438510 4brown 2003-02-05T01:11:03Z