Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


How to skip enable mode password prompt.


I just installed ACS 4.1 (first time working with ACS). Everything is working great and I'm using the ACS internal database for user authentication.

The question I have is this. When logging into a router, which is authenticating against the ACS server, is there a way to bypass having to enter my password a second time to get to enable mode??

Currently, I have to enter my username and password to login to the router and when I go to enable mode, I have to re-enter my password again.

Any help is greatly appreciated.




Accepted Solutions

Hi Tony,

Do mark this thread as solved, so that others can benefit from it.



View solution in original post

Jagdeep Gambhir


If you are using tacacs then this needs to be done,

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated


Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field




Thank you so much for your response. I did as you have recommended and I am still being prompted to enter my password a second time to get into enable mode.

Here is the router config:

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key xxxxxxxxxxxxxxx

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

My ACS group setting is configured for privilege level 15.

Does anything jump out at you? Is there anything else I should do?

Thanks again,



Setting seems to be ok and it should work. Get the debug aaa authorization and debug tacacs.


Hi Jagdeep,

Here's the output from debug aaa authorization, debug tacacs authorization, & debug tacacs events.

The first output is me logging in and the second is me going to enable mode.

Thanks for you input.



I can not tell from the output whether you are doing telnet to the router remotely or whether this is a console session. It makes a difference because by default the IOS does not do authorization for console sessions, and therefore will not put you directly into enable mode when logging in from the console. It does work when logging in from telnet.

[edit] after looking again at the debug it is obvious that the router is sending authorization the first time, which probably means that it is from a telnet connection. So my observation about not authorizing on the console is probably not the right answer to your issue.






Can you make sure that user is part of that group on which you have configured shell exec priv 15 ?

Which device and IOS you are testing it with ? Do you have any other IOS device to test ?



Hi Jagdeep;

Thank you for your reply. I appoligize for not getting back to you sooner. I was out-of-the-office.

The user is part of the group with shell exec priv 15. Also, they have an unrestricted shell command auth set (permitting all unmatched commands).

Here are the devices and IOS levels:

Cisco 2851 12.4.12

Cisco 3640 12.3.10

MSFC3 12.2(17d)SXB6

Cisco 7206 12.3(22)

All AAA configs include the authorization, if-authenticated command.

Thanks again,


Premdeep Banga
Rising star

Hi Tony,

Please ensure that you have not configured anything on user setting, as user settings over ride group settings.

From debugs,

May 25 13:56:41.544 edt: AAA/AUTHOR/EXEC(0000020A): processing AV cmd=

May 25 13:56:41.544 edt: AAA/AUTHOR/EXEC(0000020A): Authorization successful

It seems like that you have checked Autocommand or shell command authorization set. not too sure i have to check that out.

But we should get something like "priv-lvl=15" in debugs rather than "cmd="

If you are doing this from console, then you need to have a hidden command applied,

"aaa authorization console"

But I would only recommend you this, once you make sure everything is working fine via telnet/ssh.



Hi Prem,

Thank you for your reply. I appoligize for not getting back to you sooner. I was out-of-the-office.

The user settings are setup with all settings to come from their group settings. There are no seperate user settings.

The group is setup to have an unrestricted shell command auth set (permitting all unmatched commands).

Lastly, I am connecting through telnet to the router(s).

Please don't hesitate to ask if you need anything else.

Thanks for looking at this for me.



Here's my two penny's worth;

I would take off the "authorization" lines as these are only needed to authorize exec and commands:

no aaa authorization exec default group tacacs+ if-authenticated

no aaa authorization commands 15 default group tacacs+ if-authenticated

I would also remove the authentication enable line as this tells the device to authenticate enable mode access

no aaa authentication enable default group tacacs+ enable

And just test with the authentication login line, leave the accounting lines for now

I would double check the following in ACS:

Is the device in the right NDG?

Do you have Per Group Defined Network Access Restrictions defined for this device?

Is the user in the right group?

In the group settings, Check you have Shell(exec) enabled, Privilege level set to 15, and under Enable Options ensure you have the right Priv level defined, per device, per group etc.

Do you have either Shell Command Authorization Set or Per Group Command Authorization radio button selected?

If you have Shell Command Authorization Set for the group ensure you have Unmatched Commands Permit selected.

And authentication should be ok, then you can troubleshoot the authorization part...

Is this on an appliance or other operating system? My experience of the appliances are that they're pretty c**p, too many bugs and little things that don't work...

Just for info, you should have a last resort local username configured if ACS is down:

username priv 15 password

This will give you local access, and, if you find you have access issues as you have, you can remove the device from ACS, so it doesn't know about it, the device will try ACS not a get a response after the timeout period and prompt you for your username, enter your local password and you're in...

I hope this helps...

Hi and Thanks for your repsonse;

As I mentioned in my first email, everything is working, Authentication, Authorizarion and Accounting as it should. The only question that I have is how to prevent entering my TACACS password a second time when entering into "enable" mode.

Removing the commands that you mention will only cause me to have to enter the enable mode password (or secret) configured on the device itself.

The ACS group settings and user settings are in-line with your recommendations.

Lastly, I am using Cisco ACS 4.1 which is running on a Windows 2003 (virtual) server. Its not an appliance.

Thanks for taking the time to respond.


Hi Tony,

Can you please take screenshot of the group settings that your user is in, along with screenshot of your user configuration that you are testing, and sh run in a word file.



Hi Prem,

Attached are the group settings and the shell command authorization settings.

Thanks again for looking at this.



In the screenshots being sent by you, I can see that you have "Shell(exec)" checked, but "Privilege level" is not.

Please check "Privilege level" and put 15 in the corresponding box as the value, Press "Submit + Restart", go back and make sure that the setting is still there and make sure that you have command,

aaa authorization exec default group tacacs+

or something similar to it.

And then try.



Recognize Your Peers
Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel