05-25-2007 06:58 AM - edited 03-10-2019 03:10 PM
Hi,
I just installed ACS 4.1 (first time working with ACS). Everything is working great and I'm using the ACS internal database for user authentication.
The question I have is this. When logging into a router, which is authenticating against the ACS server, is there a way to bypass having to enter my password a second time to get to enable mode??
Currently, I have to enter my username and password to login to the router and when I go to enable mode, I have to re-enter my password again.
Any help is greatly appreciated.
Thanks,
Tony
Solved! Go to Solution.
06-04-2007 05:57 AM
Hi,
In the screen shots being sent by you, I can see that you have "Shell(exec)" checked, but "Privilege level" is not.
Please check "Privilege level" and put 15 in the corresponding box as the value, Press "Submit + Restart", go back and make sure that the setting is still there and make sure that you have command,
aaa authorization exec default group tacacs+
or something similar to it.
And then try.
Regards,
Prem
06-04-2007 06:20 AM
Hi Prem,
That works!!!
It takes me directly into enable mode without prompting me after initial login. When I do a show privilege, it shows that I am at level 15 too.
One last question, is there any way to set this up to prompt for enable mode so that the user must type enable; however, the enable password can be skipped or not required?? (that would provide just a little extra protection against someone accidentally doing something by mistake on the router)
If that is too involved to get into, we can leave things the way they are. At least I am not entering the password in twice.
Thanks again,
Tony
06-04-2007 06:54 AM
Tony,
If you want that is should prompt for enable password then you need to take out priv 15 for the group you want should be prompted for enable password.
ACS----> Group setup--->Edit----> Jump to tacacs+---> shell-----> remove 15---> summit and restart.
Regards,
06-04-2007 01:41 PM
Hi Tony,
Glad to hear that it worked.
About the second part. Command Authorization would be the solution.
So that you can restrict helpdesk-users from attempting any configuration change.
And enabling you with privilege to run all commands. And as per your config on ACS, its is already configured in a way that you will have privilege to run all the commands.
Relevant commands,
aaa authorization command 0 default group tacacs+ none
aaa authorization command 1 default group tacacs+ none
aaa authorization command 15 default group tacacs+ none
Play with above command in test environment first, then apply them on production.
Regards,
Prem
06-04-2007 01:45 PM
Hi Tony,
Do mark this thread as solved, so that others can benefit from it.
Thanks,
Prem
06-05-2007 05:16 AM
Prem,
Thank you again.
I greatly appreciate your help.
Tony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide