Re: aaa authentication enable console (server_name) password iss - Page 2

stancred · ‎06-17-2008

Here is the problem I am experiencing and I hope someone out there is able to help;

I have a ASA5510 (running software Version 8.0(3)). I have enabled remote authentication to our company's TACAC server (which is running TACAC open source supplied by Cisco).

The problem is as follows;

I can telnet to the appliance remote and using my username and password (configured on the TACAC server) I am authenticated. But after entering enable - I am prompted with the password prompt. But I can not get pass this prompt. I have tried the same password as I previous enter at the telnet prompt and failed, the local enable password fails as well. Any suggestion.

aaa-server (server_name) protocol tacacs+

aaa-server (server_name) (interlinkport) host (Address)

key (password)

aaa authentication enable console (server_name) LOCAL

aaa authentication http console (server_name) LOCAL

aaa authentication serial console (server_name) LOCAL

aaa authentication ssh console (server_name) LOCAL

aaa authentication telnet console (server_name) LOCAL

aaa accounting command privilege 15 (server_name)

aaa authorization exec authentication-server

stancred · ‎06-25-2008

problem has been rectified and it was the setting in our TACAC server

Farrukh Haroon · ‎06-25-2008

Ok its great to know you have it working now.

Regards

Farrukh

trasheuro · ‎08-09-2008

Hi,

I also have the same issues as you've described. Ie - When logging into a pix I can authenticate against tac_plus during first level ssh or telnet authentication, but it wont authenticate with the same users password when attempting to enter enable mode. Michael mentioned above that ACS uses the Max Privilege attributes to achieve what we want, so I'm assuming that some related configuration is required in tac_plus.

It would be great if you can share the tacacs server config setting you used to get it working.

Thanks,

Matt

Farrukh Haroon · ‎08-09-2008

You don't need to set the "Max Privilege for any AAA Client." but actually need to set the "Privilege Level" = 15. If you want you can set both to 15. The first option kicks in when you use 'aaa authentication enable....' and the second one when you use ''aaa authorization exec....'.

Regards

Farrukh

trasheuro · ‎08-10-2008

Thanks Farrukh,

I'm familiar with those settings in ACS, however as the company I now work for uses the freeware tac_plus I need to know the correspondong commands in tac_plus. Steve Tancred (stancred) mentioned above that he now has a solution, so I would be interested in his tac_plus config if available. Specifically I'm after the enable related commands.

Regards,

Matt

cisco24x7 · ‎08-10-2008

This will work:

accounting file = /var/log/tac_plus.log

key = zFgGkIooIsZ.Q

user = cciesec {

member = admin

name = "ccie security"

login = cleartext "cciesec"

}

user = $cciesec$ {

member = admin

name = "ccie security"

login = cleartext "cciesec1"

}

group = admin {

default service = permit

}

Jeremiah Lew Dalumpines · ‎03-13-2014

Hi,

I'm using tac_plus... I have also this kind of problem.

Below is the group = networkadmin which I've configured.

Is there anything that I will add here under tac_plus.conf???

group = networkadmin {
        # group members who don't have their own login password will be
        # looked up in /etc/passwd
        #login = file /etc/passwd

default service = permit
login = PAM

# group members who have no expiry date set will use this one
#expires = "Jan 1 1997"

# only allow access to specific routers
acl = default

        # Needed for the router to make commands available to user (subject
        # to authorization if so configured on the router
        service = exec {
                priv-lvl = 15
                #default service = permit
        }
        cmd = exit {
                permit .*
        }
}

aaa authentication enable console (server_name) password issue