topic Re: TACACS+ authentication asking for enable password -- CISCO ACS in Network Access Control

TACACS+ authentication asking for enable password -- CISCO ACS

joseluis — Wed, 29 Aug 2018 02:57:07 GMT

Hi Cisco Community,

I'm new on configuring tacacs, hope you can help me.

I have a issue, every time I log in using my TACACS+ account it still ask me for the enable password

based on the config below, what is the command here that still asks me for the enable password? or should I delete the enable password itself to bypass that?

my goal is:

1. whenever I logged in my credentials using my tacacs+ account, i can proceed already to priv mode and the device should not ask for the enable password.

2. are all the config here are necessary? if no, can you help me identify what are the unnecessary commands to achieve goal 1?

CONFIG:

aaa new-model
aaa group server tacacs+ default
server 172.x.x.x
!
aaa group server tacacs+ ciscosecure
server 172.x.x.x.x
!
aaa authentication login default group tacacs+ line
aaa authentication login console line none
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common

tacacs-server host 172.x.x.x
tacacs-server directed-request
tacacs-server key 7 030A0B090A1A2F481D1B
radius-server source-ports 1645-1646

Re: TACACS+ authentication asking for enable password -- CISCO ACS

Cory Peterson — Wed, 29 Aug 2018 11:41:01 GMT

You need to set this in ISE:

Re: TACACS+ authentication asking for enable password -- CISCO ACS

paul — Wed, 29 Aug 2018 12:54:17 GMT

Actually you are missing the key line to do privilege level modification:

aaa authorization exec default group tacacs+ none

Also I would question why you are authorizing level 0 commands. There are no commands there that can do any changes or hurt the functioning of the device. I usually authorize levevl 15, but account for 0, 1 and 15.

Finally, do you have a use case to specifically authorize configuration commands?

Re: TACACS+ authentication asking for enable password -- CISCO ACS

Cory Peterson — Wed, 29 Aug 2018 12:57:03 GMT

I missed that one, thanks Paul!

Re: TACACS+ authentication asking for enable password -- CISCO ACS

joseluis — Thu, 30 Aug 2018 00:44:36 GMT

Hi Cory,

Apparently im using an old version of ACS. 😞

Re: TACACS+ authentication asking for enable password -- CISCO ACS

joseluis — Thu, 30 Aug 2018 00:47:28 GMT

Hi Paul,

I just saw the configuration here and planning also to remove the "0" since it cant do anything.

aaa authorization exec default group tacacs+ none --> for this one, shouldn't I use local instead of none on all my configs? so If the tacacs server is down, i can still access the device using the local password?

Re: TACACS+ authentication asking for enable password -- CISCO ACS

paul — Thu, 30 Aug 2018 00:51:48 GMT

Yep local is good. None works too but I usually use local. I must have copied from old template

Re: TACACS+ authentication asking for enable password -- CISCO ACS

joseluis — Thu, 30 Aug 2018 00:55:48 GMT

Yes sir, but that's the use of "local" right? if the tacacs server is not reachable from the network device, it will use the local credentials. If I use the "none" command, if the device cannot reach the tacacs server it will not look for the local credentials also, so no way of accessing it? Please correct me if I'm wrong.

Re: TACACS+ authentication asking for enable password -- CISCO ACS

paul — Thu, 30 Aug 2018 00:58:48 GMT

I haven’t used none in a while but I believe you are saying don’t run authorization exec. Local allows you to set privilege level on your back door account and go right to # when tacacs is down.

Re: TACACS+ authentication asking for enable password -- CISCO ACS

joseluis — Thu, 30 Aug 2018 01:12:56 GMT

Sorry can you elaborate more please? I'm new on tacacs topic. Your feedback is highly appreciated 🙂

Re: TACACS+ authentication asking for enable password -- CISCO ACS

paul — Thu, 30 Aug 2018 03:01:56 GMT

The only setting that absolutely have to have a backup method of local is your authentication line. That is what allows the device to fail back to the local user database. The accounting would never really have a backup method. The authorization you can use none, local, if-authenticated and they will all let you in I believe. The best choice is local though because it will also take the privilege level you set on the local username and pass you into # prompt of you want.

I would also start using the newest style syntax if your devices support it. Here is the newest style:

username <backdoor account> privilege 15 secret 0 <password>

tacacs server SERVER-1
key 0 <TACACS Key>
address ipv4 <IP>

single-connection
!

tacacs server SERVER-2
key 0 <TACACS Key>
address ipv4 <IP>

single-connection

!
aaa group server tacacs+ TACACS
server name SERVER-1
server name SERVER-2
ip tacacs source-interface<source VLAN/interface>

aaa authentication login default group TACACS local
aaa authorization exec default group TACACS local
aaa authorization commands 15 default group TACACS if-authenticated
!aaa authorization config-commands (I don't use this unless specific use case
aaa accounting exec default start-stop group TACACS

aaa accounting commands 0 default stop-only group TACACS

aaa accounting commands 1 default stop-only group TACACS
aaa accounting commands 15 default stop-only group TACACS

Re: TACACS+ authentication asking for enable password -- CISCO ACS

joseluis — Fri, 31 Aug 2018 00:45:39 GMT

Hi Paul,

I appreciate your answer so much. Thank you sir!

Re: TACACS+ authentication asking for enable password -- CISCO ACS

ambeshkumar-tripathi — Fri, 13 Dec 2024 12:45:21 GMT

configure below and test

tacacs-server attribute allow unknown