Re: Enable mode with AAA & ACS

gamoore · ‎01-01-2003

I'm trying to config a 12.0(5.1)XP 2900XL IOS switch to automatically go into enable mode once authenticated, without having to enter "enable." I'm running ACS3.1. Her is the AAA config:

aaa new-model

aaa authentication login default group tacacs+ local-case

aaa authentication login LOCAL local-case none

aaa authentication enable default group tacacs+ enable

aaa authorization exec default if-authenticated group tacacs+

aaa authorization commands 0 default local group tacacs+ if-authenticated

aaa authorization commands 15 default local group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting exec LOCAL start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 0 LOCAL start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting commands 15 LOCAL start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

4brown · ‎01-02-2003

If you assign privilege level 15 to the user or group, EXEC authorization takes care of this with the service=shell, set-priv-lvl=15 Attribute Value Pair.

You have aaa authorization exec configured correctly, assign priv 15 and see if it works. If you do have it assigned and it is not working, let us know, there are some other issues that may be causing this....

gamoore · ‎01-02-2003

I set the Service=shell and Privlege Level=15 on both the users and group levels areas of the ACS, and neither did the trick.

gamoore · ‎01-02-2003

I forgot to mention that I'm using ACS for WIndows.

4brown · ‎01-03-2003

Does it work on vty (telnet) sessions and not the console? If so, try:

aaa authorization console

gamoore · ‎01-04-2003

It doesn't work on vty connections. Before I added the ACS server, it was working on vty connections using local username and password authentication with the following AAA config.

hostname s1-carson

!

aaa new-model

aaa authentication password-prompt Password:

aaa authentication username-prompt Username:

aaa authentication login default local-case enable

aaa authorization exec default local none

aaa authorization commands 15 default local none

enable secret 5 ***** Text Removed *****

!

username ** removed ** psnet privilege 15 password 7 ** removed **

!

line con 0

transport input none

stopbits 1

line vty 0 4

length 25

line vty 5 15

!

gfullage · ‎01-05-2003

Try changing:

aaa authorization exec default if-authenticated group tacacs+

to:

aaa authorization exec default group tacacs+ none

I think the if-authenticated is being used instead of the TACACS server attributes cause you have it first. In fact, the TACACS server will never be used for authorization with your current setup because the "if-authenticated" will always be used first and will never fail (unless authentication fails first).

gamoore · ‎01-07-2003

Thanks that did the trick!!!

ed.daly · ‎02-03-2003

Hello:

A while back you had asked for assistance regarding setting up TACAS to the router logins to skip over to enable mode. I am currently trying to get this to work myself. Would it be possbile for you to post your working configuration (minus passwords of course), on the Cisco site? Also, any comments regarding what you had to do on the CiscoSecure site would be useful as well.

Thank you in advance.

4brown · ‎02-04-2003

This is part of EXEC authorization when the user logs in:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

tac server key

username foo privilege 15 password bar

Assign the user or group privilege level 15 and away you go. You can use your local account if the connection to the tac+ server goes down or you receive an error for things like a key mismatch.

There are oodles of examples on cisco.com. Here is a good reference:

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Internetworking:Tacacs_plus&s=Implementation_and_Configuration