Thanks pvanvuuren, I'll try this tomorrow.

Hi Pvanuuren,

My problem with this is that when the ACS server is on and I console to a device, the first password is the line password due to

aaa authentication login notac line

However when I go to the en mode I am prompted for my username and password. But under the acs reporting / tacacs administration the username and group name show up blank.

any ideas?

It sounds to me like you missed a subtlety in the solution suggested by Pvanuren and that you have in your configuration the line "aaa authentication enable defauult group tacacs+ enable" or something very similar. If you look carefully at the suggested solution there was no authentication via tacacs for enable. If you do not have aaa authentication enable then you will not be prompted for username and password.

HTH

Rick

Hi

Not sure if you want concole logon to prompt you for username on the console when trying to go into enable mode. It is possible, but to do so you need authorization configured on console.

Console port authorization was not added as a feature until Bug ID CSCdi82030 was implemented. Console port authorization is off by default to lessen the likelihood of accidentally being locked out of the router.

A user who has physical access to the router via the console, console port authorization is not extremely effective. However, for images in which Bug ID CSCdi82030 has been implemented, console port authorization can be turned on under line con 0 with the hidden command: "aaa authorization console"

I agree with rburts , in that you might have "aaa authentication enable blah blah configured . You should take such line out of the aaa config since you logged in with exec using no username and ACS doesn't know who you are when trying to go into enable mode.

Nevertheless , paste your full aaa config in your next message, so we can inspect it. I hope this makes sense, but I will try again if its unclear.

Cheers.

Thanks Guys,

I will clear up all my aaa settings and do exactly as pvanvuuren said. I will also paste my config here.

HI ,

I got the config as mentioned above, and the what I wanted to do initially works well now (no tacacs for the console), but I may have done some other change which I cant figure out now. Now when I telnet (and teh ACS server is live) I get to the enable mode with my username and pwd. However I cannot do a show run .. get teh message command authorization failed. I can do some of the other sh commands liek sh int etc.

here are my settings

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication login notac line

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group default

aaa accounting system default start-stop group tacacs+

line con 0

exec-timeout 30 0

password cisco

login authentication notac

line vty 0 4

exec-timeout 0 0

password cisco

transport preferred none

transport input telnet ssh

What am I missing?

Hi

The reason why you get the enable prompt straight away is due to the Priv Level on shell acces is set to 15. So , that is working correctly. You'll notice once you disable it , or set the priv level to 1 you will get the normal 1st line exec prompt: Router>.

One of the attributes that could possibly stop you from doing a "show run" is due to the fact that you might have "Shell Command Authorization Sets" configured.

In your Group setting on ACS, you probably have the "Shell Command Authorization Set" on "None".

Change this option to "Per Group Command Authorization" and set the "Unmatched Cisco IOS commands" to "Permit".

This should allow all commands and arguments.

It worked pvanvuuren. I used to have it work before (and I had the "shell command auth set to NOne" .. dont know why. but thanks.

I have one last question for you folks

In the config I had put in , I had two lines for authorization

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ none

Other than the "if-authenticated & none" choices in the above two lines, whats the difference in the two? Do I need the two lines or are they doing the same thing? If there is a difference, where would I use one over the other?

I know these are actually 3 questions... but any help would be greatly appreciated.

Thanks again

Its an interesting question, but similar to the question of "How long is a piece of string?"

In my opinion, Cisco has has simply allowed these options for flexibility. They do the same thing in this particular instance , but there can be other configurations whereby they would cater for other types of restrictions or backdoor access.

Suppose you telnet to the router while ACS is down, thus you have been not been authenticated. You logged in with only the vty line password since you configured that to be the authentication fallback. While you are doing configurations the ACS comes up. And now you will get "Command authorization failed." because you were not authenticated.

So the "if-authenticated" is a more secure way of making sure the user are allowed to do certain commands.

Hi pvanvuuren,

What I was asking was .. Whats the difference in these two commands

aaa authorization exec default group tacacs+

aaa authorization commands 15 default group tacacs+

I understand the if-authenticated & none part. Just want to know if there is any diff in the above two.

Thanks

Sunil

interesting why dont you  use the following config for con 0

line con 0
exec-timeout 0 0
privilege level 15
login

password cisco