Re: How to put users into 'enable' mode at first login to switch

spacehymns · ‎02-24-2017

I'm trying to develop an AAA deployment for switch access that will give users access to 'enable' mode without re-authenticating.

I'm using a 2960x running 15.2(2a)E1 code.

Here's my config:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa server radius dynamic-author
aaa session-id common

I have it working with both TACACS and local user failover.

My problem: users have to re-authenticate to access 'enable' mode.

I am fairly certain that my TACACS server (Clearpass in this case) is returning a level 15 access appropriately; when I change it to return a level 1, my test user can log in, but when prompted to reauthenticate in order to access 'enable' mode, access is denied. I interpret this as expected behaviour.

What am I missing?

Thanks in advance!

Gagandeep Singh · ‎02-25-2017

Few things to share if you have Priv-15 on AAA server and exec authorization configured on switch.

It will always bypass enable mode.

And When you have priv-1 configured, user has to reauthenticate in order to get new session to get enable mode. It's expected behavior.

Even if you push Priv-15 without exec authorization keeping enable authentication, you should get enable mode.

Are you getting any error on AAA when it is failing.

Regards

Gagan

PS: rate helpful posts!!!

spacehymns · ‎02-27-2017

Hi Gagandeep,

There is no failure (and no error), but simply an unexpected behaviour.

I agree that I should get enable mode, but I don't. I can demonstrate the difference between sending priv 1 and priv 15 via TACACS, and the behaviour persists when I send priv 15.

Gagandeep Singh · ‎02-27-2017

I would suggest to keep 15 priv on Tacacs server and you can put or remove exec authorization on switch.

That way you'll get enable mode when exec is not there or vice-versa.

Regards

Gagan

spacehymns · ‎02-27-2017

When you say 'put or remove exec authorization', how do you mean? I'm trying to do that with this command, which I believe should grant exec authorization when the user authenticates (but perhaps I misunderstand):

aaa authorization exec default group tacacs+ local if-authenticated

Gagandeep Singh · ‎02-27-2017

I meant to say that if you remove it then we'll get enable mode with enable authentication on switch.

If you don't, will not get enable mode irrespective of enable authentication.

In both conditions, need Priv-15 on Server.

Regards

Gagan

johnnylingo · ‎10-16-2019

Glad I found this thread. It helped me figure out how to use SCP for IOS image transfers when a RADIUS server is used for AAA

https://layer77.net/2019/10/16/cisco-ios-xe-scp-server/