Solved: Cisco Content Engine - TACACS+ authentication for "enable mode"

sivanden · ‎09-30-2004

Imagine two locally deployed Cisco CE-565s running ACNS ver 5.2.1.5 (currently no CDMs).

The devices are configured to authenticate users logging in to the box (console) using TACACS+:

username admin password 1 xxxxxxxxxxx

username admin privilege 15

!

tacacs key ****

tacacs retransmit 3

tacacs host 9.x.x.x primary

!

authentication login local enable secondary

authentication login tacacs enable primary

authentication configuration local enable secondary

authentication configuration tacacs enable primary

authentication fail-over server-unreachable

When logging in to the device I can use a username and a password configured on the Cisco ACS

server. But when trying to change into enable mode, I´m only allowed to use the password of the

locally defined admin user, although the ACS user has privilege level 15 rights.

In the 5.2 documentation I found the following statement:

In TACACS+ there is an "enable password" feature that allows an administrator to define a different enable password per administrative user. If an ACNS administrator logs in to the Content Engine with a normal user account (privilege level of 0) instead of an admin or admin-equivalent user account (privilege level of 15), the administrative user must enter the admin password (shown below) in order to access privileged-level EXEC mode.

This caveat applies even if these ACNS users are using TACACS+ for login authentication.

Basic question for you now is: Does the box work as designed?? Or is there anything I can do to

use also TACACS to get into enable mode, otherwise it will be useless...

mindnich · ‎10-04-2004

The following is the response from a TAC case opened for that problem:

---TAC start---

I have verified the information related to TACACS implementation within ACNS, and I was able to confirm that the enable command is never expected to contact authentication server. So what you see is as designed, and a request to change it will need to come as an enhancement request via your Cisco sales/account team.

The note in documentation you pasted is in fact made as a response to bug CSCee03131 where we (TAC) reported this behaviour is not documented.

You can use TACACS server to supply privilege level 15 to ACNS, in this case the user is logged in in enabled mode directly. For level changes after user is logged in, only locally configured password is used.

---TAC end---

So basic answer is: ACS needs to deliver directly privilege level 15, removing the need for the user to manually go into enable mode using the enable command.

In addition to that I had another problem with using TACACS for CDM GUI authentication. Answer from TAC is posted here:

---TAC start---

Regarding authentication to CDM GUI, the user needs to get administrative role assigned, so it must be known to the CDM upfront.

Password checking occurs at the TACACS+ server. Here I paste some hints from previous cases:

You just need to create the username and assign a role for the username. The underlying authentication is performed via tacacs and this will tie the authorization for the GUI into the tacacs users.

Within the CDM GUI you need to add the tacacs usernames that will administrate the CDM and assign them proper roles.

Configuring CDM GUI for tacacs users

You Are Here: Admin / Users <-- You need to add the TACACS usernames here and assign them the correct roles

You Are Here: Admin / Roles <-- You can use the preconfigured roles or setup custom roles for different users

---TAC end---

View solution in original post

mindnich · ‎10-04-2004

The following is the response from a TAC case opened for that problem:

---TAC start---

I have verified the information related to TACACS implementation within ACNS, and I was able to confirm that the enable command is never expected to contact authentication server. So what you see is as designed, and a request to change it will need to come as an enhancement request via your Cisco sales/account team.

The note in documentation you pasted is in fact made as a response to bug CSCee03131 where we (TAC) reported this behaviour is not documented.

You can use TACACS server to supply privilege level 15 to ACNS, in this case the user is logged in in enabled mode directly. For level changes after user is logged in, only locally configured password is used.

---TAC end---

So basic answer is: ACS needs to deliver directly privilege level 15, removing the need for the user to manually go into enable mode using the enable command.

In addition to that I had another problem with using TACACS for CDM GUI authentication. Answer from TAC is posted here:

---TAC start---

Regarding authentication to CDM GUI, the user needs to get administrative role assigned, so it must be known to the CDM upfront.

Password checking occurs at the TACACS+ server. Here I paste some hints from previous cases:

You just need to create the username and assign a role for the username. The underlying authentication is performed via tacacs and this will tie the authorization for the GUI into the tacacs users.

Within the CDM GUI you need to add the tacacs usernames that will administrate the CDM and assign them proper roles.

Configuring CDM GUI for tacacs users

You Are Here: Admin / Users <-- You need to add the TACACS usernames here and assign them the correct roles

You Are Here: Admin / Roles <-- You can use the preconfigured roles or setup custom roles for different users

---TAC end---