Solved: Enable Secret Password Missing in Config.

jeff6strings · ‎06-24-2011

Recently I came across a router (Cisco 3845, IOS 12.4) configured for TACACS, one local username and an enable password. Going through the configuration I noticed the router didn't have an enable secret password which I thought was strange. The TACACS config is below and would appreciate assistance, comments regarding the TACACS config and the consequences of not having an enable secret or if there is a need for one.

aaa authentication login default group tacacs+
aaa authentication login no_tacacs enable
aaa authorization exec default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+

Thanks,

Jeff

Kelvin Willacey · ‎06-29-2011

I think this command is causing the issue 'aaa authentication login no_tacacs enable', I think it's saying if the default is not available which is to use tacacs shown by this command 'aa authentication login default group tacacs+' then you will have to use the enable password. You should be able to modify it and use 'aaa authentication login no_tacacs local', see if that works.

View solution in original post

Kelvin Willacey · ‎06-24-2011

Well it is all based on the privilege level, anything below privilege 15 will require an enable password. As long as within ACS the users will be assigned privilege level 15 access to the switch/router will be fine. If ACS is unavailable and as long as a local user on the switch/router has privilege 15 you should still have access to the switch/router.

However if within ACS users are assigned a privilege level below 15 and need access to enable mode they will not be able to get in, so I think that would be the consequence of not having one.

jeff6strings · ‎06-28-2011

Following Jeremy's article below I noticed when connecting to a router via console without access to TACACS I can logon with the local username, who has level 15 privilege, but when accessing enable mode I'm prompted for the enable secret password. Just wondering if this is normal or if there is an alternate configuration which will provide enable mode when authenticated like telnet with TACACS.

Thanks again,

Jeff

http://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/

Kelvin Willacey · ‎06-29-2011

I think this command is causing the issue 'aaa authentication login no_tacacs enable', I think it's saying if the default is not available which is to use tacacs shown by this command 'aa authentication login default group tacacs+' then you will have to use the enable password. You should be able to modify it and use 'aaa authentication login no_tacacs local', see if that works.

jeff6strings · ‎07-01-2011

Thanks for the reply. I reconfigured our TACACS and AAA with the new configuration below in addition we have an enable secret password and local username with level 15 privelages.

aaa new-model

tacacs-server host 10.1.1.1 key SWITCHKEY

tacacs-server host 10.2.2.2 key SWITCHKEY

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

line console 0

login authentication default

line vty 0 15

login authentication default

When I disconnect the switch or router from the network and connect to the console I can logon with the local username but when accessing enable mode I'm prompted for the enable secret password and was wondering if this is normal given the new configuration.

Thanks again,

Jeff

Kelvin Willacey · ‎07-01-2011

I suppose it is normal behaviour, at least only for the console because authorization is not on by default for the console and I always forget that, so you will need 'aaa authorization console' and you should be able to login without the enable secret.

Richard Burts · ‎07-04-2011

Jeff

In regard to your original post about enable password and enable secret - they both have the same functionality in authenticating to privilege mode. The enable password came first and enable secret came later. The main difference between enable password and enable secret is that enable secret uses stronger encryption than enable password.

It is generally more of a Best Practice to use enable secret. But it is not an error to use enable password and not enable secret.

In regard to the explanation about no-tacacs it is quite incorrect to say that it supplies an alternative if TACACS is not available. It defines an alternative named method for authentication and some thing, perhaps the console, would have been configured to use that authentication method rather than the default.

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

jeff6strings · ‎07-06-2011

I added the line "aaa authorization console" and now when connected to the console or via telnet and while the switch has access to the TACACS servers and I logon with a TACACS user I'm taken to the enable prompt. When connected to the console and the switch does not have access to the TACACS server I'm prompted for the local username and credentials and when entered I'm taken the the enable prompt. Very happy with the current configuration and the option to be taken to the enable prompt upon logon.

I know the pros and cons to this configuration and we are currently establishing our own IT policies for these kinds of things but I'm curious to know what others are doing.

Thanks for any replies.

Jeff