Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
39912
Views
5
Helpful
20
Replies

How to skip enable mode password prompt.

Go to solution
amaiale
Level 1
Level 1

‎05-25-2007 06:58 AM - edited ‎03-10-2019 03:10 PM

Hi,

I just installed ACS 4.1 (first time working with ACS). Everything is working great and I'm using the ACS internal database for user authentication.

The question I have is this. When logging into a router, which is authenticating against the ACS server, is there a way to bypass having to enter my password a second time to get to enable mode??

Currently, I have to enter my username and password to login to the router and when I go to enable mode, I have to re-enter my password again.

Any help is greatly appreciated.

Thanks,

Tony

3 people had this problem
Labels:
0 Helpful
20 Replies 20

Go to solution
Premdeep Banga
Level 7
Level 7
In response to amaiale

‎06-04-2007 05:57 AM

Hi,

In the screen shots being sent by you, I can see that you have "Shell(exec)" checked, but "Privilege level" is not.

Please check "Privilege level" and put 15 in the corresponding box as the value, Press "Submit + Restart", go back and make sure that the setting is still there and make sure that you have command,

aaa authorization exec default group tacacs+

or something similar to it.

And then try.

Regards,

Prem

Go to solution
amaiale
Level 1
Level 1
In response to Premdeep Banga

‎06-04-2007 06:20 AM

Hi Prem,

That works!!!

It takes me directly into enable mode without prompting me after initial login. When I do a show privilege, it shows that I am at level 15 too.

One last question, is there any way to set this up to prompt for enable mode so that the user must type enable; however, the enable password can be skipped or not required?? (that would provide just a little extra protection against someone accidentally doing something by mistake on the router)

If that is too involved to get into, we can leave things the way they are. At least I am not entering the password in twice.

Thanks again,

Tony

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to amaiale

‎06-04-2007 06:54 AM

Tony,

If you want that is should prompt for enable password then you need to take out priv 15 for the group you want should be prompted for enable password.

ACS----> Group setup--->Edit----> Jump to tacacs+---> shell-----> remove 15---> summit and restart.

Regards,

0 Helpful

Go to solution
Premdeep Banga
Level 7
Level 7
In response to amaiale

‎06-04-2007 01:41 PM

Hi Tony,

Glad to hear that it worked.

About the second part. Command Authorization would be the solution.

So that you can restrict helpdesk-users from attempting any configuration change.

And enabling you with privilege to run all commands. And as per your config on ACS, its is already configured in a way that you will have privilege to run all the commands.

Relevant commands,

aaa authorization command 0 default group tacacs+ none

aaa authorization command 1 default group tacacs+ none

aaa authorization command 15 default group tacacs+ none

Play with above command in test environment first, then apply them on production.

Regards,

Prem

0 Helpful

Go to solution
Premdeep Banga
Level 7
Level 7
In response to amaiale

‎06-04-2007 01:45 PM

Hi Tony,

Do mark this thread as solved, so that others can benefit from it.

Thanks,

Prem

0 Helpful

Go to solution
amaiale
Level 1
Level 1
In response to Premdeep Banga

‎06-05-2007 05:16 AM

Prem,

Thank you again.

I greatly appreciate your help.

Tony

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents