cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
671
Views
4
Helpful
6
Replies

ACS - privilege login for AD account fails

Hi,

I am using ACS 5.8 version.

1. I can login to IOS device using tacacs local account and local privilege password, ButI have to enter "enable" command to get vty prompt. -> How can i directly goto global config mode ?

2. I have AD setup too, and it is behaving same way. I can login to exec mode, but I cant login to device in global  config  mode.

Cisco Secure ACS

Policy Elements ... >  Authorization and Permissions  >  Device Administration >  Shell Profiles >  Edit: "PRIV_15" => value=15
6 Replies 6

nspasov
Cisco Employee
Cisco Employee

A couple of questions:

1. Can you post your "aaa" related configurations

2. What type of device is this for? IOS, ASA, NX-OS?

Thank you for rating helpful posts!

aaa group server tacacs+ <grp name>
server <serverip>
!
aaa authentication login default group <grp name> local
aaa authentication login console enable
aaa authentication enable default group <grp name> enable

aaa accounting exec default start-stop group tacacs+ group <grp name>
aaa accounting network default start-stop group tacacs+ group <grp name>

aaa authorization exec default group <grp name> none
aaa authorization commands 1 default group <grp name> none
aaa authorization commands 15 default group <grp name> none

> IOS device

> I directly want to login in global config more.(using both local and AD account)

Thanks

Remove the "aaa authentication enable" and that should take care of the problem for you. After you remove this command the privilege defined in the TACACS+ server will be used. The user should be dropped immediately in the "#" mode since you are pushing Privilege Level 15. 

Thank you for rating helpful posts!

That din't resolve my issue.

I also have another tacacs (in different environment) which is working as i wanted (no vty password required) with this commands.

I think so i have misconfigured something in acs!! (again, my priv is set to 15.)

Thank you.

I had Max Priviliege level set to 15, but I changed Assigned Privileage Level to 0. I set both to 15, and it is working now. But initially I had both set to 15, and it dint work. I chaged so many other setting to make it work, so I dont know which exact combination make it working.

But, you need both (Assigned and Max Pri. ) level set to 15.

Thank you Neno for looking into.

Is the local AAA/ACS user configured with "enable password" ? With the "aaa authentication enable default group <grp name> enable" the Network Access Device is instructed to query the AAA for the enable password. Thus, the local user must have that defined.

Thank you for rating helpful posts!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: