TACACS+ ACS 3.3, PRIV 15 <enable mode> direct login

cgravell · ‎08-20-2008

Hi,

I want to create a user with priv 15 that can login directly to the enable mode prompt from any AAA client.

Currently, the user logs in to the device then has to authenticate a second time (same PAP password) to gain priv 15.

Is a direct login possible?

Thanks

Collin Clark · ‎08-20-2008

Router# config t

Router# line vty 0 4

Router(int-config)#privilege level 15

Hope that helps.

Farrukh Haroon · ‎08-20-2008

You can assign privlege level 15 for all users by applying the solution given by Colin.

Alternatively you can set the privilege level 15 via either TACACS or RADIUS.

aaa authorization exec VTY group ...

Regards

Farrukh

cgravell · ‎08-20-2008

Thanks for tips.

The group that you speak of Farrukh - is this the same group that i create on the ACS?

I create one user and put it in one group on ACS platform - for RANCID backup of config files.

If I add the line that you suggest to the devices, - then anyone in that group will go straight to enable mode at login? This is the way that I want to do it...

Cheers,

Chris

Farrukh Haroon · ‎08-20-2008

Yup they will go straight to enable mode. If you need help in configuring it just let me know the protocol you are using (TAC/RAD) and I would be glad to help.

Regards

Farrukh

cgravell · ‎08-20-2008

Hi Farrukh,

So that you are clear about what I want to do:

I work for an ISP that has just merged with another.

1st ISP uses RADIUS and collects configs via RANCID for its AS.

2nd ISP uses TACACS+ CSACS 3.3 and doesn't use

RANCID to collect configs.

So, I create a user and group on CSACS - same user, password as RADIUS for CSACS in the 2nd ISP.

I want to use that user in AS1 to collect configs from AS2 as well.

But in AS2 CSACS TACACS+ won't let me do that in the web-based config.

So, if it is an AAA client config change that is required - let me know what i should put in!

I'll try tomorrow what you suggest, but if you have anything to add it would be interesting to know (I am studying for R&S and SP CCIE presently ;-)).

Cheers,

Chris

cgravell · ‎08-20-2008

Hi Farrukh,

So that you are clear about what I want to do:

I work for an ISP that has just merged with another.

1st ISP uses RADIUS and collects configs via RANCID for its AS.

2nd ISP uses TACACS+ CSACS 3.3 and doesn't use

RANCID to collect configs.

So, I create a user and group on CSACS - same user, password as RADIUS for CSACS in the 2nd ISP.

I want to use that user in AS1 to collect configs from AS2 as well.

But in AS2 CSACS TACACS+ won't let me do that in the web-based config.

So, if it is an AAA client config change that is required - let me know what i should put in!

I'll try tomorrow what you suggest, but if you have anything to add it would be interesting to know (I am studying for R&S and SP CCIE presently ;-)).

Cheers,

Chris

Farrukh Haroon · ‎08-20-2008

Ok great! Please have a look at this link:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

You would be looking at the procedure described in the "Cisco Secure NT TACACS+" section.

Regards

Farrukh

ashbyk · ‎03-18-2010

Farrukh....

I'm trying to do this as well and haven't gotten it work yet. I'd like a singler user to access enable mode directly via their tacacs+ account. Please provide the ACS setup to do this, and also the config lines needed in the network device.

Thanks!

Jagdeep Gambhir · ‎03-18-2010

Hi ,

Here are the IOS commands,

Router(config)# username [username] password [password]
        tacacs-server host [ip]
        tacacs-server key [key]
        aaa new-model
        aaa authentication login default group tacacs+ local
        aaa authorization exec default group tacacs+ if-authenticated

Bring users or group at level 15
    1. Go to user or group setup in ACS
    2. Drop down to "TACACS+ Settings"
    3. Place a check in "Shell (Exec)"
    4. Place a check in "Privilege level" and enter "15" in the adjacent field

Regards,

~JG

Do rate helpful posts!