I'm trying to develop an AAA deployment for switch access that will give users access to 'enable' mode without re-authenticating.
I'm using a 2960x running 15.2(2a)E1 code.
Here's my config:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa server radius dynamic-author
aaa session-id common
I have it working with both TACACS and local user failover.
My problem: users have to re-authenticate to access 'enable' mode.
I am fairly certain that my TACACS server (Clearpass in this case) is returning a level 15 access appropriately; when I change it to return a level 1, my test user can log in, but when prompted to reauthenticate in order to access 'enable' mode, access is denied. I interpret this as expected behaviour.
What am I missing?
Thanks in advance!
Few things to share if you have Priv-15 on AAA server and exec authorization configured on switch.
It will always bypass enable mode.
And When you have priv-1 configured, user has to reauthenticate in order to get new session to get enable mode. It's expected behavior.
Even if you push Priv-15 without exec authorization keeping enable authentication, you should get enable mode.
Are you getting any error on AAA when it is failing.
PS: rate helpful posts!!!