cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ACS - privilege login for AD account fails

Hi,

I am using ACS 5.8 version.

1. I can login to IOS device using tacacs local account and local privilege password, ButI have to enter "enable" command to get vty prompt. -> How can i directly goto global config mode ?

2. I have AD setup too, and it is behaving same way. I can login to exec mode, but I cant login to device in global  config  mode.

Cisco Secure ACS

Policy Elements ... >  Authorization and Permissions  >  Device Administration >  Shell Profiles >  Edit: "PRIV_15" => value=15
6 REPLIES 6

nspasov
Cisco Employee
Cisco Employee

A couple of questions:

1. Can you post your "aaa" related configurations

2. What type of device is this for? IOS, ASA, NX-OS?

Thank you for rating helpful posts!

aaa group server tacacs+ <grp name>
server <serverip>
!
aaa authentication login default group <grp name> local
aaa authentication login console enable
aaa authentication enable default group <grp name> enable

aaa accounting exec default start-stop group tacacs+ group <grp name>
aaa accounting network default start-stop group tacacs+ group <grp name>

aaa authorization exec default group <grp name> none
aaa authorization commands 1 default group <grp name> none
aaa authorization commands 15 default group <grp name> none

> IOS device

> I directly want to login in global config more.(using both local and AD account)

Thanks

Remove the "aaa authentication enable" and that should take care of the problem for you. After you remove this command the privilege defined in the TACACS+ server will be used. The user should be dropped immediately in the "#" mode since you are pushing Privilege Level 15. 

Thank you for rating helpful posts!

That din't resolve my issue.

I also have another tacacs (in different environment) which is working as i wanted (no vty password required) with this commands.

I think so i have misconfigured something in acs!! (again, my priv is set to 15.)

Thank you.