01-29-2008 05:55 AM - edited 03-10-2019 03:37 PM
When I log into a Cisco device, I am prompeted to enter username/password. Once authenticated, I have to enter the "enable" command and then enter my password again in order to gain privileged mode access. I want to be able to to go to priv mode directly.
My AAA configuration looks like this:
aaa authentication login default group tacacs+ local
aaa authentication login ciscoadmins group tacacs+ local
aaa authentication enable default group tacacs+
aaa authorization config-commands
aaa authorization exec ciscoadmins group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 ciscoadmins group tacacs+ local
aaa authorization network default group tacacs+
aaa authorization network ciscoadmins group tacacs+
On my ACS SE (ver 4.1.4.13), I have both the User and Group setting configured the same for the TACACS+ section with SHELL (exec) checked and PRIV Level checked and the value set to 15.
I can get this to work with RADIUS but have not been successful with TACACS+.
Does anyone have a solution for this?
Thanks,
Keith
Solved! Go to Solution.
01-29-2008 02:26 PM
Keith
I believe that the issue involves this line of the config:
aaa authorization exec ciscoadmins group tacacs+ local if-authenticated
it is creating a named method list for authorization. IOS wants to see that method list specified on your lines (or it wants to use the default method list). I suggest that you include this line under the vty lines:
authorization exec ciscoadmins
or use this line in the aaa section:
aaa authorization exec default group tacacs+ local if-authenticated
HTH
Rick
01-29-2008 07:53 AM
Keith,
I've got this successfully working in my network. Here is my AAA congfiguration:
aaa authentication login default group tacacs+ local enable
aaa authentication login console line
aaa authorization exec default group tacacs+ if-authenticated
On the ACS server, I have each AAA client setup to use TACACS+ (Cisco IOS) for authentication. In the TACACS+ Interface configuration, I have a checkbox next to PPP IP, Shell (exec), as well as Advanced TACACS+ Features. Then in the User/Group Setup, I have a checkbox next to Shell (exec) and Privilege level with 15 specified. I also have a Network Access Restriction configured for my group to allow All AAA Clients as a Permitted Calling/Point of Access Location.
Hope this helps.
John
01-29-2008 11:04 AM
Hi John,
Thank you for the reply. I tried the configuration you provided and unfortunately I was not able to get it to work on my network. I must have something else enabled that is blocking the authorization or I'm missing a parameter somewhere.
Thanks again for the assistance!
Keith
01-29-2008 11:34 AM
The only other global setting I have on my routers/switches is the following:
tacacs-server host x.x.x.x (IP address of ACS server)
tacacs-server key ******* (key as entered in the AAA client setup in ACS)
Have you been able to do any AAA debugging on your router or look at the reports on the ACS server?
John
01-29-2008 12:40 PM
The tacacs-server host and key settings are fine but I have not enabled debugging yet, so I'll try that next. Thanks John!
Keith
01-29-2008 11:38 AM
Keith
Are you looking to do this on the vty on the console or on both? There is an issue with doing it on the console. Going directly to privilege level 15 depends on authorization and by default Cisco does not do authorization on the console. If you want to do this on the console there is a hidden command that will make this work:
aaa authorization console
as with most hidden commands Cisco recommends that you use this with caution - there is some risk that you could lock yourself out of the device if you misconfigure something.
HTH
Rick
01-29-2008 12:56 PM
Hi Rick,
I am only trying to do this on the vty line and not on the colsole.
Thanks,
Keith
01-29-2008 01:12 PM
Keith
Thanks for clearing this up. I have seen similar discussions where the issue was access via console.
So if you are doing it on the vty then perhaps you can post the configuration of your vty lines?
I see that you have authentication and authorization set up for ciscoadmins. Can you show us how and where this is defined?
HTH
Rick
01-29-2008 01:24 PM
Rick,
The "ciscoadmins" group is defined on my ACS SE appliance and authentication is working fine. The vty settings are:
line vty 0 4
exec-timeout 30 0
transport preferred ssh
Keith
01-29-2008 02:26 PM
Keith
I believe that the issue involves this line of the config:
aaa authorization exec ciscoadmins group tacacs+ local if-authenticated
it is creating a named method list for authorization. IOS wants to see that method list specified on your lines (or it wants to use the default method list). I suggest that you include this line under the vty lines:
authorization exec ciscoadmins
or use this line in the aaa section:
aaa authorization exec default group tacacs+ local if-authenticated
HTH
Rick
01-30-2008 07:16 AM
Thanks Rick!
Adding the command "authorization exec ciscoadmins" to my vty lines resolved the problem.
Thanks again,
Keith
01-30-2008 09:38 AM
Keith
I am glad that you got your problem resolved. Thank you for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read a solution to the problem.
The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.
HTH
Rick
01-30-2008 10:37 AM
Rick,
I just learned about the NetPro Forum recently and the benefits paid off almost immediately. I have found more (additional) information inside the forum than was available on the Cisco Tech Support site. The creation of this forum was a great idea and people like yourself help make it a very valuable tool and information repository for others like myself. You can bet I will look here first when trying to resolve a problem in the future.
BTW, my first couple of Cisco classes were conducted by Chesapeake Computer Consultants in the mid/late 90's. They were a first-class organization and I glad to see they weren't completely disbanded.
I also want to say "thanks" to the others who responded to my post and offered up suggestions and ideas. I was pleasently surprised by how quickly the replies started coming in and for the number of responses. This is a great community!!!
Thanks again,
Keith
01-31-2008 08:19 PM
Keith
I am glad that you have discovered the forum and what a valuable resource it is. I am also glad that you recognize our corporate ancestry back to Chesapeake Computer Consultants. I taught for Chesapeake Computer Consultants and was with them as they became Mentor Technologies and then when they failed. A group of us who survived that started over as Chesapeake NetCraftsmen and we are proud of our heritage from Chesapeake Computer Consultants.
HTH
Rick
01-31-2008 03:57 PM
These commands and ACS configuratios don't work with an ASA 5520. Any idea how to get it to work on an ASA 5520?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide