cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2111
Views
0
Helpful
2
Replies
rkoudmani
Beginner

TACACS+ Configuration

Hello,

I am trying to build a tacacs+ config to roll out on my network devices.  I have an ACS doing the authentication.  What I would like to do is have the ACS authenticate my users and their enable access.  However I would like to leave console access using both the local username and the local enable password in order that I have a backdoor in case of future issues.  I have all this working except the ability to go into enable mode from console using the local enable password.  I get an auth error as I think teh device is trying to ACS auth the enable password due to this :

aaa authentication enable default group tacacs+ enable

I can get around it by applying a privlive level 15 to line to come straight into enable mode but it seems less secure.

Any ideas?

Here are the relevent bits of my config (and I do have a local username and enable defined)

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local none
aaa authorization exec console local
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common

line con 0
password 7 <xxx>
login authentication console

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Jagdeep Gambhir
Advocate

Hi Rasheed,

Unfortunately, there is no way to apply a specific method list for the enable authentication to apply to the console.

Named method list for enable authentication is not supported.



Regards,
~JG

Do rate helpful posts

View solution in original post

2 REPLIES 2
Jagdeep Gambhir
Advocate

Hi Rasheed,

Unfortunately, there is no way to apply a specific method list for the enable authentication to apply to the console.

Named method list for enable authentication is not supported.



Regards,
~JG

Do rate helpful posts

Thanks for the quick response.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube