Hi Rick,

Thanks for your response. The problem is that I don't want users to go directly to privilege mode. Users need to be authenticated first. In our case the privilege authentication requires a SecureID token.

In general, the user logon the the router to get to user mode (Active directory) then authenticate again (SecureID) to get to privilege mode.

The commands work the way described above on our 1600,1700,2500,2600,3600,3700,7200 routers but does not work on the 1841. When the users login to the 1841 expecting to be in user mode, they bypass the privilege mode authentication.

Thanks for your help.

Bryan

Bryan

Thanks for the clarification of the problem. If it works correctly on other routers then I believe we can assume that it is not something misconfigured in ACS. Therefore we can assume that it is probably something configured on the 1841. (I find it extremely difficult to imagine that the 1841 IOS would work differently than other routers.) Perhaps if you post the config of the 1841 we can help find the issue.

HTH

Rick

Rick,

I'm not allowed to post the full config but here is the AAA portion. But this is the portion from the 1841. We cut and pasted this from a working router. We are using (C1841-ENTBASE-M), Version 12.4(2)T, but we also had the same problem with 12.3(11)T3 and 12.3(14)T1.

aaa new-model

!

aaa authentication banner #WARNING#

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization network default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

aaa session-id common

!

tacacs-server host X.X.X.X

tacacs-server key KEY

Hope this provides enough information.

Bryan

Bryan

Thanks for posting this. What I really want to see in addition to this is the config of the console and the vty ports. If you are restricted about what you can post on the forum would it be any easier to EMail it to me privately? (my EMail address is available through my forum profile)

And while I am at it I have a couple of clarificatino questions:

- is the behavior the same for all users or is this happening to some but not all users?

- is this happening on console, vty, any other connectivity?

- are you sure that users are being authenticated by this tacacs server? (do authentications show up in the ACS reports of successful authentication?)

- is there anything in the tacacs definitions for this router that is different from the definitions of other routers?

HTH

Rick

Rick,

Problem resolved!!! You led me to the problem. On the vty lines "Priviledge level 15" was configured. Once I removed this, the login worked as desired.

Thank you for your patience and help.

Bryan

Bryan

I suspected that would be what we would find. Congratulations on finding and fixing the problem.

I encourage you to continue to participate in the forum.

HTH

Rick