cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
493
Views
5
Helpful
1
Replies

Cisco ACS 'enable' Authorization Requests AD Password

Mike Hendriks1
Beginner
Beginner

Hi Everyone,

 

 

We have a subset of our infrastructure that uses shell profiles and command sets with ACS 5.x to authorize CLI users for different roles.  The way it works is that the user logs in with their AD credentials, and then when they type 'enable' they enter their AD password again to gain access to the privileged exec.

 

I'm attempting to assist another coworker to set this up for a different set of infrastructure, but I cannot for the life of me find the setting in ACS that forces it to work this way.  Our IOS configuration is as follows:

 

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization config-commands
aaa accounting commands 15 default start-stop group tacacs+

 

Can anyone assist?  Is it just the "aaa authorization commands <number> default group..." commands that configure it to work this way, or is there a setting in ACS itself?

 

Thanks in advance,

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Mentor VIP Mentor
VIP Mentor
Hi

Your question is to know which forces you to type in your enable password?
The line aaa authentication enable says it will ask enable pwd to tacacs and fallback to local enable pwd. Th line aaa authorization exec would push the user into privilege mode (if receives privilege 15) if you add the keyword if-authenticated.

The command you pointed out is to validate each commands you'll type in through tacacs server.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

1 Reply 1

Francesco Molino
VIP Mentor VIP Mentor
VIP Mentor
Hi

Your question is to know which forces you to type in your enable password?
The line aaa authentication enable says it will ask enable pwd to tacacs and fallback to local enable pwd. Th line aaa authorization exec would push the user into privilege mode (if receives privilege 15) if you add the keyword if-authenticated.

The command you pointed out is to validate each commands you'll type in through tacacs server.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: