Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
604
Views
5
Helpful
5
Replies

IOS TACACS config verify

Steven Williams
Level 4
Level 4

‎11-18-2015 12:11 PM - edited ‎03-10-2019 11:15 PM

aaa new-model

!

!

aaa group server tacacs+ TACACS_SERVERS

server name TACACS

!

aaa authentication login TACACS_LOGIN group tacacs+ local

aaa authorization exec TACACS_LOGIN group tacacs+ local

aaa authorization network TACACS_LOGIN group tacacs+ local

!

!

tacacs server TACACS

address ipv4 10.20.0.60

key syskokey!123

!

line vty 0 4

exec-timeout 60 0

logging synchronous

login authentication TACACS_LOGIN

transport input ssh

transport output ssh

line vty 5 15

exec-timeout 60 0

login authentication TACACS_LOGIN

transport input ssh

transport output ssh

!

 

 

 

MacBook-Pro:~ stevewilliams$ ssh stevewilliams@10.20.42.200

Password:

TEST-1841-01>en

% Error in authentication.

 

TEST-1841-01>

 

 

 

what is missing here? I do not want the user to know the enable password so the user needs to drop right into user exec mode.

Labels:
0 Helpful
5 Replies 5

Steven Williams
Level 4
Level 4

‎11-18-2015 03:05 PM

Ok I followed this: http://www.netcontractor.pl/blog/?tag=aaa I can bypass the need for the user to enter the enable password after AD authentication but how can I get the user to drop right into User Exec mode after AD authentication?

0 Helpful

Javier Henderson
Level 4
Level 4
In response to Steven Williams

‎11-20-2015 08:21 AM

Steven,

You already have the exec authorization in place, to get the user in privilege level 15 the TACACS+ server will need to provide that privilege level during the authorization phase.

Steven Williams
Level 4
Level 4
In response to Javier Henderson

‎11-23-2015 06:32 AM

aaa authentication enable defualt none was set and the eliminated the need to enter an "enable" password, but still requires the user to enter "enable" how can we eliminate this need? I am using ISE 2.0 for TACACS+.

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎11-21-2015 09:40 PM

What Javier said (+5 from me). By setting the priv level to 15 fromn your AAA server, the user will be dropped directly in the exce mode. You can also check out aaa authenticaiton enable none Which will disable the authentication for the enable mode

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

saurabh_gera
Level 1
Level 1

‎11-23-2015 12:19 PM

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default none

aaa authorization commands 15 default group tacacs+ none .

Givethe commands Above + Set server to Provide level 15 authorized Acccess, You wont need to enter Enable Keywork.

Please Mark a Feedback if Solution Works for you, If Not Please share the Error, we Will Work Together on it.

0 Helpful
Customers Also Viewed These Support Documents