10-11-2007 12:50 PM - edited 03-10-2019 03:26 PM
I am using a Cisco ACS server with an RSA server behind it. When the user is authenticated from the ACS server, I want them to go straight into enable mode, not have to type the enable mode password. What line am I missing?
aaa authentication login ACS group ACS_servers local enable
aaa authorization exec ACS group ACS_servers local
aaa authorization commands 15 ACS group ACS_servers local
aaa accounting commands 1 default start-stop group ACS_servers
aaa accounting commands 15 default start-stop group ACS_servers
line vty 0 5
login authentication ACS
authorization commmands 15 ACS
10-11-2007 02:39 PM
Hi,
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Regards,
~JG
Please rate helpful posts
10-12-2007 08:27 AM
Unfortunately, that still did not work, it authenticates me, but puts at the router> prompt.
aaa authentication login default line
aaa authentication login ACS group ACS_servers local enable
aaa authorization exec ACS group ACS_servers local
aaa authorization commands 15 ACS group ACS_servers local
aaa accounting commands 1 default start-stop group ACS_servers
aaa accounting commands 15 default start-stop group ACS_servers
line vty 1
access-class 1 in
exec-timeout 60 0
ipv6 access-class IPv6-VTY-Access in
authorization commands 15 ACS
login authentication ACS
10-12-2007 08:36 AM
Are you login via console or telnet ? Please send me complete running config.
Also try it with plain vanilla config and see how it works,
aaa authentication login default group tacacs local
aaa authorization exec default group tacacs if-authenticated
If it works then there is some issue with server or group name.
10-12-2007 08:43 AM
I forgot the line in my vty line config:
authorization exec ACS
10-13-2007 11:18 AM
Michael
The question from Jagdeep about whether you are logging in on console of by telnet is actually quite significant. Going directly to enable mode is a function of authorization and by default Cisco does not do authorization on the console. So login on the console would not go directly to enable (unless you had configured privilege level 15 on the console).
So are you logging in on the console or on vty?
HTH
Rick
10-15-2007 07:58 AM
The configuration in question is for telnet, but I do need to design my new console access connection. Console access would be either remotely or on-site, but I don't feel comfortable giving priv 15 right into it. I plan to use the same authentication method on the console (ACS group 1st, local database 2nd) and will just have to enter the enable password through the console.
One more question on the aaa config, I kept getting this error in the log:
AAA/AUTHOR: config command authorization not enabled
So I added:
aaa authorization config-commands
I don't know if it was needed because I could still execute config-commands, but it kept giving me that warning if I didn't have that line.
Also, do I really need this line if the ACS server is taking care of priv 15 authorization:
aaa authorization commands 15 ACS if-authenticated
10-15-2007 08:20 AM
By default console authorization is disabled , so it should ask you for enable password from console.
However if you want to login straight to emable mode from console then you need to issue this hidden command,
aaa authorization console
=================================
aaa authorization config-commands
Above command checks the authorization for commands that are executed in config mode.
Yes, you should have that command,
aaa autho command 15 ----> Checks command with priv 15 ONLY on Enable mode. It is not checking config t commands.
Regards,
~JG
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide