AAA for enable access

reinke · ‎12-30-2002

Hi,

I have a strange effect with authenticating enable access. I have entered the following commands:

aaa-server TACACS+ (inside) host 172.16.1.10 geheim timeout 5

aaa authentication serial console TACACS+

aaa authentication enable console TACACS+

When I access pix console, I have to enter an username (user) and a password (password). The TACACS-Server database includes an username user with password password.

The login is successful and I have access to user mode (Firewall>).

Entering <enable> the pix prompts for a password and not an username (first strange thing). I do not know which password to use, the localy configured enable password doesn´t work.

Entering the password password authentication fails as well. The Failed Attemps File of my TACACS-Server lists:

username -->user

Authentication Failure Code --> T+ enable password invalid

I don´t know what´s going on. Any idea?

Thanks

Edgar

David White · ‎12-31-2002

Hi Edgar,

There should be two different passwords on the AAA server. Most likely you are using the Cisco Secure AAA server for Windows, and you need to specify the User's Enable password in the user profile. The other option, is you can set the user's profile to use the same passwords for both exec and enable privileges.

The PIX caches the username when you authenticate initially, therefore, you do not need to enter the username again when you attempt to go into enable mode.

I hope this helps,

David.

reinke · ‎01-01-2003

Hi David,

this sounds good, because I have to use an user enab_15 for cisco ios as well. Therefore, your inputs might show me the wright way.

Nevertheless, I do not know where I can specify the user´s enable password in the user profile. I am using cisco ACS for Windows.

Thanks in advance

Edgar