01-26-2017 11:22 AM - edited 03-11-2019 12:24 AM
Hi,
I am using ACS 5.8 version.
1. I can login to IOS device using tacacs local account and local privilege password, ButI have to enter "enable" command to get vty prompt. -> How can i directly goto global config mode ?
2. I have AD setup too, and it is behaving same way. I can login to exec mode, but I cant login to device in global config mode.
Cisco Secure ACS
Policy Elements > | ... > | Authorization and Permissions > | Device Administration > | Shell Profiles > | Edit: "PRIV_15" => value=15 |
01-26-2017 03:50 PM
A couple of questions:
1. Can you post your "aaa" related configurations
2. What type of device is this for? IOS, ASA, NX-OS?
Thank you for rating helpful posts!
01-26-2017 03:56 PM
aaa group server tacacs+ <grp name>
server <serverip>
!
aaa authentication login default group <grp name> local
aaa authentication login console enable
aaa authentication enable default group <grp name> enable
aaa accounting exec default start-stop group tacacs+ group <grp name>
aaa accounting network default start-stop group tacacs+ group <grp name>
aaa authorization exec default group <grp name> none
aaa authorization commands 1 default group <grp name> none
aaa authorization commands 15 default group <grp name> none
> IOS device
> I directly want to login in global config more.(using both local and AD account)
Thanks
01-26-2017 05:06 PM
Remove the "aaa authentication enable" and that should take care of the problem for you. After you remove this command the privilege defined in the TACACS+ server will be used. The user should be dropped immediately in the "#" mode since you are pushing Privilege Level 15.
Thank you for rating helpful posts!
01-27-2017 06:33 AM
That din't resolve my issue.
I also have another tacacs (in different environment) which is working as i wanted (no vty password required) with this commands.
I think so i have misconfigured something in acs!! (again, my priv is set to 15.)
Thank you.
01-31-2017 03:29 PM
I had Max Priviliege level set to 15, but I changed Assigned Privileage Level to 0. I set both to 15, and it is working now. But initially I had both set to 15, and it dint work. I chaged so many other setting to make it work, so I dont know which exact combination make it working.
But, you need both (Assigned and Max Pri. ) level set to 15.
Thank you Neno for looking into.
01-30-2017 09:46 AM
Is the local AAA/ACS user configured with "enable password" ? With the "aaa authentication enable default group <grp name> enable" the Network Access Device is instructed to query the AAA for the enable password. Thus, the local user must have that defined.
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide