Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1146
Views
0
Helpful
4
Replies

ACS and Secure Computings Safeword

lisbeth.jacobsen
Level 1
Level 1

‎07-11-2004 11:52 PM - edited ‎03-10-2019 07:54 AM

Hi,

I am trying to set up one time enable authentication using Safeword version 3.1.1 and Cisco Secure ACS v. 3.2.

So far I have configured the unknown user database to use the safeword server as an authentication database. Within ACS I have mapped a group to the safeword server and ticked shell(exec) as well as the privilege level which I have set to 15.

On the router I point aaa authentication to the tacacs+ server.

I can connect to the router using my token and get correctly assigned to the group I have pointed at the safeword server. I am, however, presented with the user (>) prompt rather than the exec (#) prompt. Does anyone have any advice as to what I am doing wrong.

Regards

Lisbeth

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎07-12-2004 04:52 AM

I think you may not properly understand what setting the privilege level in ACS does. It sounds like you expect that if you set the level to 15 that when a user logs in they will automatically be at level 15 (functionally the equivalent of setting the privilege level with the user <...> privilege 15 command on the router). What setting the level in ACS does is to indicate the highest level that the user can authenticate to.

Have you tested by logging in to the router, getting into user mode (and associated with the proper group in ACS) and then enter the enable command? I believe you may find that it prompts for password and authenticates you to enable privilege level.

HTH

Rick

HTH

Rick
0 Helpful

lisbeth.jacobsen
Level 1
Level 1
In response to Richard Burts

‎07-12-2004 05:27 AM

Hi Rick,

Thanks for taking a look. What I am trying to do is to get the ACS to pass on authentication requests to the Safeword server and upon success having the authenticated user get directly to the exec prompt.

What is happening at the moment is, as you point out, that I have to execute the enable command and log in using a static enable password configured on the router. I am trying to do away with the static password (except of course in times of network problems) and replace it with a one time password using the Safeword token server.

Regards

Lisbeth

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to lisbeth.jacobsen

‎07-12-2004 08:26 AM

Lisbeth

Do I understand correctly that you are authenticating correctly for user mode using ACS and the Safeword but not authenticating for enable mode? If so it would be helpful if you could post all of the aaa part of your config.

HTH

Rick

HTH

Rick
0 Helpful

lisbeth.jacobsen
Level 1
Level 1
In response to Richard Burts

‎07-12-2004 04:46 PM

Hi Rick,

I am not sure if you do. I can authenticate to the router using my token. That gets me to the > prompt. I then have to type in "enable" and enter the static password for that. That gets me to the # prompt.

What I want to do is bypass step one and useing the token authentication get directly to the # prompt. aaa config is simple:

aaa authentication login default group tacacs+ enable

as I want tacas+ to supply authorization functionality.

As I said I have configured the unknown user database to pass authentication requests to our Safeword server.

Lisbeth

0 Helpful
Customers Also Viewed These Support Documents