https://community.cisco.com/t5/network-access-control/cant-enter-enable-mode-after-tacacs-basic-configuration-error-in/m-p/4159442#M563105 <P>The "error in authentication" issue is related to authorization not being configured.&nbsp; You configured aaa authentication but you also have to configure authorization so the switch knows what privilege level to put the user into.&nbsp; The command you need is the "aaa authorization exec" method list.&nbsp; You can point that to TACACS as well and just make sure your policy in ISE is returning an appropriate privilege level such as 15.</P> Wed, 30 Sep 2020 13:44:19 GMT Colby LeMaire 2020-09-30T13:44:19Z https://community.cisco.com/t5/network-access-control/cant-enter-enable-mode-after-tacacs-basic-configuration-error-in/m-p/4016900#M440511 <P><BR />Hello,</P><P>I have recently tried to configure TACACS+ on one of my Cisco switch WS-C3850-48T through remote login. After configuration I logged out of the switch and later when I was trying to login again it was showing enable password error. We have never set any enable password.</P><P>Below is the config done:-</P><P>aaa new-model<BR />tacacs-server host 10.xx.xx.xx<BR />tacacs-server key XXXXXXX<BR />aaa authentication login default group tacacs+ local<BR />line vty 0 15<BR />login authentication default</P><P>Now today when I am again trying to login its now showing "% error in authentication". Yesterday it was giving enable password prompt but today its not even giving us password prompt. We have switched off our TACACS+ server and still not getting enable password prompt. Our environment is setup in a way that in every switch it doesnt asks for enable password.</P><P>Switch01&gt;enable<BR />% Error in authentication.</P><P>Now we just want to remove the above done configuration. Please suggest in order to resolve the above issue. And please let us know if there is any other solution apart from console login and how to do it ?<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="config.PNG" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/65749iAAA5734DC4896F66/image-size/medium?v=v2&amp;px=400" role="button" title="config.PNG" alt="config.PNG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="error in authentication.png" style="width: 200px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/65750iE47BDB3A857968C9/image-size/small?v=v2&amp;px=200" role="button" title="error in authentication.png" alt="error in authentication.png" /></span></P><P>&nbsp;</P> Thu, 23 Jan 2020 09:58:34 GMT https://community.cisco.com/t5/network-access-control/cant-enter-enable-mode-after-tacacs-basic-configuration-error-in/m-p/4016900#M440511 prabhatei7 2020-01-23T09:58:34Z https://community.cisco.com/t5/network-access-control/cant-enter-enable-mode-after-tacacs-basic-configuration-error-in/m-p/4016999#M440513 <P>Hi</P><P>&nbsp;</P><P>If you can't access the switch terminal and have snmp enabled, you can try using "<STRONG>snmpset</STRONG>" to upload a new startip-config to the switch and then reload it.</P><P>&nbsp;</P><P>Details are here:</P><P>&nbsp;</P><P><A href="https://www.ciscozine.com/send-cisco-commands-via-snmp/" target="_blank">https://www.ciscozine.com/send-cisco-commands-via-snmp/</A></P><P>&nbsp;</P><P>I've used snmpset in the past to reload switches - only catch was that the soucre ip used to send the command must be permitted in any snmp acl on the switch.</P><P>&nbsp;</P><P>hth<BR />Andy</P> Thu, 23 Jan 2020 12:31:42 GMT https://community.cisco.com/t5/network-access-control/cant-enter-enable-mode-after-tacacs-basic-configuration-error-in/m-p/4016999#M440513 andrewswanson 2020-01-23T12:31:42Z https://community.cisco.com/t5/network-access-control/cant-enter-enable-mode-after-tacacs-basic-configuration-error-in/m-p/4159429#M563103 <P>Hi Andy,</P><P>&nbsp;</P><P>Thank you for your swift response.</P><P>&nbsp;</P><P>I just wanted to know that will I be able to use the command without enable mode. Because I'm not able to get into enable mode since I have configured tacacs on it.</P><P>&nbsp;</P><P>I dont know why it's not allowing me to enter into enable mode and all passwords are failing.</P><P>&nbsp;</P><P>I m able to login to the device but when I'm trying to get into enable mode it's not accepting any password. I just wanted to reload it because I have not saved the configuration for tacacs+&nbsp;</P><P>&nbsp;</P><P>Switch is running fine and only problem is enable mode&nbsp;</P> Wed, 30 Sep 2020 13:27:23 GMT https://community.cisco.com/t5/network-access-control/cant-enter-enable-mode-after-tacacs-basic-configuration-error-in/m-p/4159429#M563103 prabhatei7 2020-09-30T13:27:23Z https://community.cisco.com/t5/network-access-control/cant-enter-enable-mode-after-tacacs-basic-configuration-error-in/m-p/4159442#M563105 <P>The "error in authentication" issue is related to authorization not being configured.&nbsp; You configured aaa authentication but you also have to configure authorization so the switch knows what privilege level to put the user into.&nbsp; The command you need is the "aaa authorization exec" method list.&nbsp; You can point that to TACACS as well and just make sure your policy in ISE is returning an appropriate privilege level such as 15.</P> Wed, 30 Sep 2020 13:44:19 GMT https://community.cisco.com/t5/network-access-control/cant-enter-enable-mode-after-tacacs-basic-configuration-error-in/m-p/4159442#M563105 Colby LeMaire 2020-09-30T13:44:19Z