Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7496
Views
15
Helpful
11
Replies

TACACS+ authentication asking for enable password -- CISCO ACS

Go to solution
joseluis
Level 1
Level 1

‎08-28-2018 07:57 PM

Hi Cisco Community,

 

I'm new on configuring tacacs, hope you can help me.

 

I have a issue, every time I log in using my TACACS+ account it still ask me for the enable password

 

based on the config below, what is the command here that still asks me for the enable password? or should I delete the enable password itself to bypass that? 

 

my goal is:

1. whenever I logged in my credentials using my tacacs+ account, i can proceed already to priv mode and the device should not ask for the enable password.

2. are all the config here are necessary? if no, can you help me identify what are the unnecessary commands to achieve goal 1?

 

CONFIG:

aaa new-model
aaa group server tacacs+ default
server 172.x.x.x
!
aaa group server tacacs+ ciscosecure
server 172.x.x.x.x
!
aaa authentication login default group tacacs+ line
aaa authentication login console line none
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ none 
aaa authorization commands 15 default group tacacs+ none 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common

 

 

tacacs-server host 172.x.x.x
tacacs-server directed-request
tacacs-server key 7 030A0B090A1A2F481D1B
radius-server source-ports 1645-1646

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to joseluis

‎08-29-2018 08:01 PM

The only setting that absolutely have to have a backup method of local is your authentication line.  That is what allows the device to fail back to the local user database.  The accounting would never really have a backup method.  The authorization you can use none, local, if-authenticated and they will all let you in I believe.  The best choice is local though because it will also take the privilege level you set on the local username and pass you into # prompt of you want.

 

I would also start using the newest style syntax if your devices support it.  Here is the newest style:

 

username <backdoor account> privilege 15 secret 0 <password>

!

tacacs server SERVER-1
  key 0 <TACACS Key>
  address ipv4 <IP>

  single-connection
!

tacacs server SERVER-2
  key 0 <TACACS Key>
  address ipv4 <IP>

  single-connection

!
aaa group server tacacs+ TACACS
  server name SERVER-1
  server name SERVER-2
  ip tacacs source-interface<source VLAN/interface>

!

aaa authentication login default group TACACS local
aaa authorization exec default group TACACS local
aaa authorization commands 15 default group TACACS if-authenticated
!aaa authorization config-commands (I don't use this unless specific use case
aaa accounting exec default start-stop group TACACS

aaa accounting commands 0 default stop-only group TACACS

aaa accounting commands 1 default stop-only group TACACS
aaa accounting commands 15 default stop-only group TACACS

View solution in original post

11 Replies 11

Go to solution
Cory Peterson
Level 5
Level 5

‎08-29-2018 04:41 AM

You need to set this in ISE: 

Screenshot_1.png

Go to solution
joseluis
Level 1
Level 1
In response to Cory Peterson

‎08-29-2018 05:44 PM

Hi Cory,

 

Apparently im using an old version of ACS. :(

0 Helpful

Go to solution
paul
Level 10
Level 10

‎08-29-2018 05:54 AM

Actually you are missing the key line to do privilege level modification:

 

aaa authorization exec default group tacacs+ none 

 

Also I would question why you are authorizing level 0 commands.  There are no commands there that can do any changes or hurt the functioning of the device.  I usually authorize levevl 15, but account for 0, 1 and 15.

 

Finally, do you have a use case to specifically authorize configuration commands? 

Go to solution
Cory Peterson
Level 5
Level 5
In response to paul

‎08-29-2018 05:57 AM

I missed that one, thanks Paul!

0 Helpful

Go to solution
joseluis
Level 1
Level 1
In response to paul

‎08-29-2018 05:47 PM

Hi Paul,

 

I just saw the configuration here and planning also to remove the "0" since it cant do anything.

 

aaa authorization exec default group tacacs+ none --> for this one, shouldn't I use local instead of none on all my configs? so If the tacacs server is down, i can still access the device using the local password?

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to joseluis

‎08-29-2018 05:51 PM

Yep local is good. None works too but I usually use local. I must have copied from old template
0 Helpful

Go to solution
joseluis
Level 1
Level 1
In response to paul

‎08-29-2018 05:55 PM

Yes sir, but that's the use of "local" right? if the tacacs server is not reachable from the network device, it will use the local credentials. If I use the "none" command, if the device cannot reach the tacacs server it will not look for the local credentials also, so no way of accessing it? Please correct me if I'm wrong. 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to joseluis

‎08-29-2018 05:58 PM

I haven’t used none in a while but I believe you are saying don’t run authorization exec. Local allows you to set privilege level on your back door account and go right to # when tacacs is down.
0 Helpful

Go to solution
joseluis
Level 1
Level 1
In response to paul

‎08-29-2018 06:12 PM

Sorry can you elaborate more please? I'm new on tacacs topic. Your feedback is highly appreciated :)



0 Helpful

Go to solution
paul
Level 10
Level 10
In response to joseluis

‎08-29-2018 08:01 PM

The only setting that absolutely have to have a backup method of local is your authentication line.  That is what allows the device to fail back to the local user database.  The accounting would never really have a backup method.  The authorization you can use none, local, if-authenticated and they will all let you in I believe.  The best choice is local though because it will also take the privilege level you set on the local username and pass you into # prompt of you want.

 

I would also start using the newest style syntax if your devices support it.  Here is the newest style:

 

username <backdoor account> privilege 15 secret 0 <password>

!

tacacs server SERVER-1
  key 0 <TACACS Key>
  address ipv4 <IP>

  single-connection
!

tacacs server SERVER-2
  key 0 <TACACS Key>
  address ipv4 <IP>

  single-connection

!
aaa group server tacacs+ TACACS
  server name SERVER-1
  server name SERVER-2
  ip tacacs source-interface<source VLAN/interface>

!

aaa authentication login default group TACACS local
aaa authorization exec default group TACACS local
aaa authorization commands 15 default group TACACS if-authenticated
!aaa authorization config-commands (I don't use this unless specific use case
aaa accounting exec default start-stop group TACACS

aaa accounting commands 0 default stop-only group TACACS

aaa accounting commands 1 default stop-only group TACACS
aaa accounting commands 15 default stop-only group TACACS

Go to solution
joseluis
Level 1
Level 1
In response to paul

‎08-30-2018 05:45 PM

Hi Paul,

 

I appreciate your answer so much. Thank you sir! 

0 Helpful
Customers Also Viewed These Support Documents