Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3975
Views
0
Helpful
13
Replies

Privilege mode authentication using Tacacs for Cisco Routers

Go to solution
uzmausmani
Level 1
Level 1

‎10-05-2010 10:48 AM - edited ‎03-10-2019 05:28 PM

I am trying to set up a test environment where I need to be able to be asked for both a username and password while entering enable mode from exec mode on a cisco IOS router. I was told the only way to do that is through Tacacs. But I've not seen any such configuration options on Tacacs in order to set it up right. Has someone ever did a setup like this before. I would appreciate any help on this. Thanks. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jedubois
Cisco Employee
Cisco Employee
In response to uzmausmani

‎10-07-2010 01:53 PM

This is correct, as I stated in my previous post you can no accomplish what you are trying to do.  In IOS the username you use to log in

to the router is ALWAYS used when you enter enable mode.  If you want to change the user you are logged in as you will need to log out of the

router and log back in with the correct user.

--Jesse

View solution in original post

0 Helpful
13 Replies 13

Go to solution
aneelaka
Level 1
Level 1

‎10-05-2010 03:19 PM

when the aaa authentication enable default group tacacs+ command or the aaa authentication enable default group command that points towards a TACACS+ server group is configured authentication happens using username $enab15$, so you dont get the username prompt only the password prompt. 

https://supportforums.cisco.com/docs/DOC-4317;jsessionid=0AD3918732307A3063A5650DC50908C9.node0

0 Helpful

Go to solution
uzmausmani
Level 1
Level 1
In response to aneelaka

‎10-06-2010 10:25 AM

I do realise that but that doesnt solve my problem. I have a customer who has this environment where the cisco IOS router prompts for a username

and password upon entering enable mode. I'm trying to replicate that test environment. If the router accepts a default username from Tacacs that doesnt create the setup I'm looking to establish. Is there is way to setup Tacacs to prompt for a username and password instead of using the default one?

0 Helpful

Go to solution
aneelaka
Level 1
Level 1
In response to uzmausmani

‎10-06-2010 11:07 AM

Make sure your IOS upgraded to the latest version and try the below config:

aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+

tacacs-server host 10.76.86.85
tacacs-server directed-request
tacacs-server key cisco123

line vty 0 4
login authentication default

On ACS server under the user specify the enable password

0 Helpful

Go to solution
uzmausmani
Level 1
Level 1
In response to aneelaka

‎10-06-2010 01:55 PM

I tried that. It wouldnt even give me a login prompt on telnet. It just connected and after throwing me the start banner.. after a certain time it timed out..never even asked me a login.?

0 Helpful

Go to solution
uzmausmani
Level 1
Level 1
In response to uzmausmani

‎10-07-2010 09:06 AM

Okay..now I've gotten it to where its asking me for username password for exec level..but it still only asks me enable password..still doesnt ask me for username when I try to get into enable mode...Is there any group setting I need change in order to accomplish that?

0 Helpful

Go to solution
aneelaka
Level 1
Level 1
In response to uzmausmani

‎10-07-2010 10:37 AM

now for the password prompt you need to enter the enable password you entered in the ACS user setup, ena

ble password. Also you can turn on debug aaa authentication and debug tacacs to see more de
tails.

0 Helpful

Go to solution
uzmausmani
Level 1
Level 1
In response to aneelaka

‎10-07-2010 12:04 PM

I'm still confused. I dont know how to get it to throw the prompt for "username" at me when I try to enter enable mode. Did I miss something here?

0 Helpful

Go to solution
jedubois
Cisco Employee
Cisco Employee
In response to uzmausmani

‎10-07-2010 01:20 PM

Hello,

     To clear up some confusion here can you post the full show run from your device minus the interface/acl configuration for brevity please.

--Jesse

0 Helpful

Go to solution
uzmausmani
Level 1
Level 1
In response to jedubois

‎10-07-2010 01:29 PM

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service compress-config

!

hostname 2621-3

!

boot-start-marker

boot system flash c2600-i-mz.123-26.bin

boot-end-marker

!

logging buffered 5001 debugging

no logging console

no logging monitor

enable password cisco

!

memory-size iomem 10

clock timezone CST -7

clock summer-time CST recurring

aaa new-model

aaa authentication login default local

aaa authentication enable default group tacacs+

aaa authorization exec default group tacacs+ local

aaa session-id common

ip subnet-zero

ip cef

!

!

no ip domain lookup

ip domain name int.voyence.com

ip name-server 192.168.21.5

!

!key chain jetef

key 10

  key-string c1sco

modemcap entry ZOOM

modemcap entry ZOOM

username jeff password 0 jeff

tacacs-server host 192.168.21.230 key cisco
tacacs-server host 10.6.230.32
tacacs-server directed-request
tacacs-server key dakey
line con 0
exec-timeout 15 0
logging synchronous
speed 115200
line aux 0
exec-timeout 15 0
password 7 104D000A0618
logging synchronous
modem InOut
modem autoconfigure discovery
terminal-type monitor
transport input all
stopbits 1
flowcontrol hardware
line vty 0 4
exec-timeout 15 0
password cisco
private
logging synchronous
!

0 Helpful

Go to solution
jedubois
Cisco Employee
Cisco Employee
In response to uzmausmani

‎10-07-2010 01:36 PM

Why are you trying to do local authentication to the router but TACACS+ authentication to the enable prompt?

You will not be prompted for a username when going into the enable prompt, in IOS when going into enable it will use the username you are currently logged in as and prompt for a password only.

I would suggest going with both exec and enable authentication using TACACS+ in this case as previously suggested:

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

--Jesse

0 Helpful

Go to solution
uzmausmani
Level 1
Level 1
In response to jedubois

‎10-07-2010 01:45 PM

I had done that before but it wasnt working. Okay..I tried it again and still no luck. It doesnt prompt me for username again

on entering enable mode.

AUTHENTICATION REQUIRED

Username: uzma
Password:

=============================================================================
=          REMINDER: All activities on this device are monitored            =
=         *** All changes MUST be approved prior to execution ***           =
=============================================================================

2621-3>en
Password:
2621-3#

0 Helpful

Go to solution
jedubois
Cisco Employee
Cisco Employee
In response to uzmausmani

‎10-07-2010 01:53 PM

This is correct, as I stated in my previous post you can no accomplish what you are trying to do.  In IOS the username you use to log in

to the router is ALWAYS used when you enter enable mode.  If you want to change the user you are logged in as you will need to log out of the

router and log back in with the correct user.

--Jesse

0 Helpful

Go to solution
uzmausmani
Level 1
Level 1
In response to jedubois

‎10-07-2010 01:58 PM

hmm..so you're saying what I'm trying to setup isnt possible? I'll check with

the customer as to how they have set this up. Thanks.

0 Helpful
Customers Also Viewed These Support Documents