Re: Enable Pass and TACACS+

mrashby · ‎03-28-2005

I have tacacs+ running on my routers and everything is okay there is one thing when I authenticate through the AAA server with my user name and password I then have to turn around and put in an enable password. I want to ditch the enable password so that when I log in with TACACS+ I go directly int enable mode. I tried to disable the enable password and I ended up locking myself out of the router. Can anyone shine some light on this for me.

sstudsdahl · ‎03-28-2005

For your IOS based routers, you can set the privilege level you will be assigned when you login via ACS. If you set the group that you belong to to give you a privilege of 15, you will be placed into enable mode. You can find this setting at:

Edit Group > Scroll Down to "TACACS+ Settings" > "Shell (Exec)"

Here you should find the option for "Privilege level". If you check this box and enter "15" (minus the quotes) in the field next to it, the next time you login, you should be placed directly into enable mode. This of course requires that the group/username will allow you to have a privilege level of 15 to start with.

You can also do this on a per-user basis as long as you have the "Shell (Exec)" configuration checked for the user category under "Interface Configuration" > "TACACS+ (Cisco IOS)". You may also need to select this for group configuation also if that is the route your choose to go with.

You will also need to make sure that your AAA method within the router is configured for use with enable mode too. The command for this is aaa authentication enable name tacacs+

This will also work for IOS based switches, but not CatOS based switches.

HTH

Steve

mrashby · ‎03-31-2005

Thanks, this is pushed me in the right direction.