https://community.cisco.com/t5/network-access-control/tacacs-telnet-login-authentication-local-enable-passwords/m-p/81177#M7220 <HTML><HEAD></HEAD><BODY><P>I've added that into the config on the switch, now I cannot get telnet access, just get 'authorization failed' message. I can still gain access through the console though. What has happened? Here's the current config:</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+</P><P>aaa authorization exec default group tacacs+</P><P>aaa authorization network default group tacacs+</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting network default start-stop group tacacs+</P><P>enable secret 5 $1$DC0B******************</P><P>enable password *******************</P><P></P><P>If I take out the line "aaa authorization exec default group tacacs+", I can then telnet into the box again.</P><P></P><P>Here's the debug info for aaa authorization when that line is added:</P><P></P><P>18:22:29: AAA: parse name=tty1 idb type=-1 tty=-1</P><P>18:22:29: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 chann</P><P>el=0</P><P>18:22:29: AAA/MEMORY: create_user (0x80E58080) user='' ruser='' port='tty1' rem_</P><P>addr='172.17.4.10' authen_type=ASCII service=LOGIN priv=1</P><P>18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): Port='tty1' list='' service=EXEC</P><P>18:22:43: AAA/AUTHOR/EXEC: tty1 (2173575078) user='carlina'</P><P>18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): send AV service=shell</P><P>18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): send AV cmd*</P><P>18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): found list "default"</P><P>18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): Method=tacacs+ (tacacs+)</P><P>18:22:43: AAA/AUTHOR/TAC+: (2173575078): user=carlina</P><P>18:22:43: AAA/AUTHOR/TAC+: (2173575078): send AV service=shell</P><P>18:22:43: AAA/AUTHOR/TAC+: (2173575078): send AV cmd*</P><P>18:22:44: AAA/AUTHOR (2173575078): Post authorization status = FAIL</P><P>18:22:44: AAA/AUTHOR/EXEC: Authorization FAILED</P><P>18:22:46: AAA/MEMORY: free_user (0x80E58080) user='carlina' ruser='' port='tty1'</P><P> rem_addr='172.17.4.10' authen_type=ASCII service=LOGIN priv=1</P><P></P><P>Thanks for any help you could provide.</P><P></P></BODY></HTML> Mon, 11 Nov 2002 15:53:33 GMT aecarlin 2002-11-11T15:53:33Z https://community.cisco.com/t5/network-access-control/tacacs-telnet-login-authentication-local-enable-passwords/m-p/81175#M7208 <P>I've managed to configure TACACS+ authentication for telnet sessions to some network devices and it works great. The only problem is that you when you switch to enable mode you need to specify the local enable password.</P><P></P><P>Is there a way to configure a device so that once a user is authenticated via tacacs+, they will no longer need to provide any more passwords?</P><P></P><P>Cheers</P><P></P><P></P> Fri, 21 Feb 2020 18:05:09 GMT https://community.cisco.com/t5/network-access-control/tacacs-telnet-login-authentication-local-enable-passwords/m-p/81175#M7208 aecarlin 2020-02-21T18:05:09Z https://community.cisco.com/t5/network-access-control/tacacs-telnet-login-authentication-local-enable-passwords/m-p/81176#M7215 <HTML><HEAD></HEAD><BODY><P>Yes, use:</P><P></P><P>aaa authorization exec default tacacs+</P><P></P><P>and assign the user/group privilege level 15</P></BODY></HTML> Mon, 11 Nov 2002 14:21:55 GMT https://community.cisco.com/t5/network-access-control/tacacs-telnet-login-authentication-local-enable-passwords/m-p/81176#M7215 4brown 2002-11-11T14:21:55Z https://community.cisco.com/t5/network-access-control/tacacs-telnet-login-authentication-local-enable-passwords/m-p/81177#M7220 <HTML><HEAD></HEAD><BODY><P>I've added that into the config on the switch, now I cannot get telnet access, just get 'authorization failed' message. I can still gain access through the console though. What has happened? Here's the current config:</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+</P><P>aaa authorization exec default group tacacs+</P><P>aaa authorization network default group tacacs+</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting network default start-stop group tacacs+</P><P>enable secret 5 $1$DC0B******************</P><P>enable password *******************</P><P></P><P>If I take out the line "aaa authorization exec default group tacacs+", I can then telnet into the box again.</P><P></P><P>Here's the debug info for aaa authorization when that line is added:</P><P></P><P>18:22:29: AAA: parse name=tty1 idb type=-1 tty=-1</P><P>18:22:29: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 chann</P><P>el=0</P><P>18:22:29: AAA/MEMORY: create_user (0x80E58080) user='' ruser='' port='tty1' rem_</P><P>addr='172.17.4.10' authen_type=ASCII service=LOGIN priv=1</P><P>18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): Port='tty1' list='' service=EXEC</P><P>18:22:43: AAA/AUTHOR/EXEC: tty1 (2173575078) user='carlina'</P><P>18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): send AV service=shell</P><P>18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): send AV cmd*</P><P>18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): found list "default"</P><P>18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): Method=tacacs+ (tacacs+)</P><P>18:22:43: AAA/AUTHOR/TAC+: (2173575078): user=carlina</P><P>18:22:43: AAA/AUTHOR/TAC+: (2173575078): send AV service=shell</P><P>18:22:43: AAA/AUTHOR/TAC+: (2173575078): send AV cmd*</P><P>18:22:44: AAA/AUTHOR (2173575078): Post authorization status = FAIL</P><P>18:22:44: AAA/AUTHOR/EXEC: Authorization FAILED</P><P>18:22:46: AAA/MEMORY: free_user (0x80E58080) user='carlina' ruser='' port='tty1'</P><P> rem_addr='172.17.4.10' authen_type=ASCII service=LOGIN priv=1</P><P></P><P>Thanks for any help you could provide.</P><P></P></BODY></HTML> Mon, 11 Nov 2002 15:53:33 GMT https://community.cisco.com/t5/network-access-control/tacacs-telnet-login-authentication-local-enable-passwords/m-p/81177#M7220 aecarlin 2002-11-11T15:53:33Z https://community.cisco.com/t5/network-access-control/tacacs-telnet-login-authentication-local-enable-passwords/m-p/81178#M7223 <HTML><HEAD></HEAD><BODY><P>You need the service=shell AVP</P><P></P><P>Check out:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/480/PRIV.html" target="_blank">http://www.cisco.com/warp/public/480/PRIV.html</A></P></BODY></HTML> Mon, 11 Nov 2002 15:57:04 GMT https://community.cisco.com/t5/network-access-control/tacacs-telnet-login-authentication-local-enable-passwords/m-p/81178#M7223 4brown 2002-11-11T15:57:04Z https://community.cisco.com/t5/network-access-control/tacacs-telnet-login-authentication-local-enable-passwords/m-p/81179#M7225 <HTML><HEAD></HEAD><BODY><P>Excellent, thanks for the info, now managed to get this working as I wanted it.</P><P>So if I have a bunch of admins I want to assign level 15 access, I can just add them into a appropriately configured user group on the AAA server, yes?</P></BODY></HTML> Mon, 11 Nov 2002 16:50:26 GMT https://community.cisco.com/t5/network-access-control/tacacs-telnet-login-authentication-local-enable-passwords/m-p/81179#M7225 aecarlin 2002-11-11T16:50:26Z https://community.cisco.com/t5/network-access-control/tacacs-telnet-login-authentication-local-enable-passwords/m-p/81180#M7227 <HTML><HEAD></HEAD><BODY><P>You got it, just assign priv 15 to the group.</P></BODY></HTML> Tue, 12 Nov 2002 00:49:10 GMT https://community.cisco.com/t5/network-access-control/tacacs-telnet-login-authentication-local-enable-passwords/m-p/81180#M7227 4brown 2002-11-12T00:49:10Z