03-27-2008 10:17 AM - edited 03-10-2019 03:44 PM
Hi, I justed installed ACS 4.1 for Windows, I've added a user account and a router, my router can communicate with the ACS server, I can authenticate to the router, but my authentication will not take me into enable (or priviledge) mode. It takes me right to the user mode. From the server I tried granting priv 15 to my user group and also to me as a user still doesn't work. I have the basic configuration on the router
aaa new-model
aaa authentication login susd group tacacs+ local
tacacs-server host 10.x.x.x
tacacs-server directed-request
tacacs-server key xxxx
Can someone help a rookie out.
Solved! Go to Solution.
03-27-2008 11:51 AM
Try this:
ROUTER#config t
Enter configuration commands, one per line. End with CNTL/Z.
ROUTER(config)#line vty 0 4
ROUTER(config-line)#privilege level 15
ROUTER(config-line)#end
ROUTER#
HTH
04-11-2008 07:09 AM
Ah I guess you're using a named authorization method rather than the default one which is why it need applying to the VTY lines. The default method would apply to all lines where not already configured.
03-27-2008 11:51 AM
Try this:
ROUTER#config t
Enter configuration commands, one per line. End with CNTL/Z.
ROUTER(config)#line vty 0 4
ROUTER(config-line)#privilege level 15
ROUTER(config-line)#end
ROUTER#
HTH
03-27-2008 01:14 PM
Hi HTH,
Thanks that worked!
04-05-2008 07:20 AM
You can also achieve this using TACACS authorization. Enter the following command in global configuration mode:
aaa authorization exec default group tacacs+ local
This will enable the router to put you into your assigned privileged mode as configured on the ACS.
04-10-2008 09:01 AM
I think this is actually the way I wanna go, so I can take advantage of aaa logging.
If I use this authorization command should I remove the privilege login from my VTY lines?
04-10-2008 02:26 PM
Yes, you don't need the privilege level set on the VTY lines when using the authorization method.
John
04-10-2008 02:57 PM
Thanks John,
That gave me exactly what i was looking for. I also had to place the authorization command on the line.
04-11-2008 07:09 AM
Ah I guess you're using a named authorization method rather than the default one which is why it need applying to the VTY lines. The default method would apply to all lines where not already configured.
04-11-2008 08:19 AM
John,
Do you think that the default method is the better way to go? I guess it would since I don't have to configure the lines.
04-11-2008 01:10 PM
Default is a good option to use if you are not using any method-list.
Default key word cover all interfaces accept serial.
Regards,
~JG
04-11-2008 09:49 PM
Thanks John, You've been a big help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide