Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1507
Views
0
Helpful
4
Replies

tacacs+ and User EXEC mode

jrgarrigues
Level 1
Level 1

‎03-20-2005 12:07 PM - edited ‎03-10-2019 02:04 PM

I am running tac_plus on linux. I have basic configs in place and operating, but every time I telnet into a device I am presented with the User Exec prompt (router>) and I have to issue the enable command. I want to get set up so that I go straight to my aaa authentication username prompt. My aaa config is:

aaa new-model

aaa authentication login default group tacacs+ none

aaa authentication enable default group tacacs+ enab

aaa authorization config-commands

enable secret xxxx

TIA,

John

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎03-20-2005 06:20 PM

John

I have a couple of comments/questions about your situation.

- have you got a TACACS server configured on the router? if so could you post that part of the config also?

- is there any sign on the TACACS server that it is getting any authentication request from the router?

- with this configuration I am surprised that you can access the router. when you configure aaa authentication login default group tacacs+ none, the none means that there is no backup method and if you are not authenticated by the server, I would expect that you would be denied access to the router. I would suggest that it would be better to use aaa authentication login default group tacacs+ line. This will give you the backup method of using the line passwords on console or vty ports.

- it is possible to configure a different authentication method on the console port or on the vty ports. could you post your configuration of the console and vty ports?

- it looks like there was a problem with cut and paste on the aothorization command. perhaps you could repost the config with the complete line.

- if you would run debug tacacs authentication and debug aaa authentication and post any output it might help figure out what is happening in your situation.

HTH

Rick

HTH

Rick
0 Helpful

jrgarrigues
Level 1
Level 1
In response to Richard Burts

‎03-20-2005 07:50 PM

Thanks for the reply, Rick.

- The tacacs+ server is authenticating my logins. I have a couple users set up on it and they all work.

- I have an enable secret set up for backup should my tacacs+ be unreachable. It has been tested and is working as configured.

- no authentication has been configured on any of the line ports

- the autorization command was as I had it, but I have since removed it. Currently I do not have authorization - trying to work out the issues with authentication first.

- config and debug (for one login) are posted as a reply in the next message.

I can't figure out why it connects in the User Exec mode and makes me type the enable command.

Thanks for looking.

John

0 Helpful

jrgarrigues
Level 1
Level 1
In response to Richard Burts

‎03-20-2005 07:52 PM

config and debug

Preview file
7 KB
0 Helpful

sstudsdahl
Level 4
Level 4
In response to jrgarrigues

‎03-22-2005 12:57 PM

John,

In your configuration of your TACACS+ server, do you have the privilege level defined for the specific user? Within the configuration for the user, you can define the privilege level that you want the user to go into. Setting it to 15 will take directly into privileged exec mode without having to enter the enable command and login a second time. Here is an example that may help from http://www.cisco.com/warp/public/480/PRIV.html

Stanza in TACACS+ freeware:

user = seven {

login = cleartext seven

service = exec {

priv-lvl = 7

}

}

The specific definition that is required in the TACACS+ user config is in bold in the example above.

Steve

0 Helpful
Customers Also Viewed These Support Documents