Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
953
Views
5
Helpful
7
Replies

AAA Authorization EXEC Default

Go to solution
karenmelkonyanstu
Level 1
Level 1

‎04-18-2023 06:34 AM

Hello,

Is my understand correct that second command means that all the time when I log in on the device via SSH - it will immediately place me into Privilege\Enable mode without asking Enable password?
Would it be the same if I log in via Console? 
1)aaa authentication login default group TACACS-GROUP local 
2)aaa authorization exec default group  TACACS-GROUP if-authenticated

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎04-18-2023 06:44 AM

I think NO 
you need aaa authentication enable default group .....LOCAL 

the 
aaa authorization exec default group  TACACS-GROUP if-authenticated <<- make you allow to enter enable command 
then the SW/R ask for password which you need to config local or via AAA.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎04-18-2023 06:44 AM

I think NO 
you need aaa authentication enable default group .....LOCAL 

the 
aaa authorization exec default group  TACACS-GROUP if-authenticated <<- make you allow to enter enable command 
then the SW/R ask for password which you need to config local or via AAA.

0 Helpful

Go to solution
karenmelkonyanstu
Level 1
Level 1
In response to MHM Cisco World

‎04-19-2023 08:58 AM

Thanks Everyone for your time Guys.

Thanks MHM - my second question was weather switch\router will require me to enter TACACS Credentials if I log in via console - and I found answer which is Yes.

Thanks.

0 Helpful

Go to solution
ammahend
VIP
VIP

‎04-18-2023 06:57 AM

"Is my understand correct that second command means that all the time when I log in on the device via SSH - it will immediately place me into Privilege\Enable mode without asking Enable password?" see below.

https://community.cisco.com/t5/network-access-control/if-authenticated/td-p/1248124

"Would it be the same if I log in via Console? "

provided you configured console line login authentication default

-hope this helps-

Go to solution
karenmelkonyanstu
Level 1
Level 1
In response to ammahend

‎04-19-2023 09:01 AM

Hi - Thanks for the response.
There is no need for any additional command in regards to Console.
When I login via Console - it already asks for TACACS's User's Credentials.

0 Helpful

Go to solution
Christopher Bell
Level 4
Level 4

‎04-18-2023 07:15 AM

Correct. If you are using a TACACS server, you can use your auth profile in the policy set to either restrict commands or grant priv 15.  

 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Go to solution
karenmelkonyanstu
Level 1
Level 1
In response to Christopher Bell

‎04-19-2023 09:02 AM

Thanks Chris,

When you say "you can use your auth profile in the policy set" , Do you refer to some TACACS Server configuraiton?
I've never configured TACACS Server so I presume you refer to it.

Go to solution
Christopher Bell
Level 4
Level 4
In response to karenmelkonyanstu

‎04-19-2023 09:42 AM

Yes, my assumption was that you were using a TACACS server.  If you aren't, just make sure your default group is local instead of TACACS-GROUP.  

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Customers Also Viewed These Support Documents