cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2783
Views
0
Helpful
6
Replies

Tacacs:enable password in acs 5.3

Jonn cos
Level 4
Level 4

Hi all,

Can someone pls guide me how to configure authentication of enable password using acs 5.3. I have installed acs 5.3 and created user and gave relevant passwords. Following config is done on router

aaa new-model

aaa authentication login default group tacacs+ local

aaa authen enable default group tacacs+ enable

tacacs-server host x.x.x.x key xxxxx

Now when i telnet router, i can authenticate username/pass with acs5.3 but when i try to enter enable command and give password, it gives me error in authentication. Can someone guide me the process of configuring enable passwords

6 Replies 6

Amjad Abdullah
VIP Alumni
VIP Alumni

Hello Jonn,

Are you using same user passwrod for enable password? or you are using separate password?

What is the error message you see when you try to provide the enable password? What logs you see on the ACS?

Does the local enable password work after successfuly authentication via TACACS+?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

1) I am using seperate password for enable

2) When i type enable after successfully authenticating username/pass it gives "Error in authentication"

3) Logs show " 13029 Requested privilege level too high"

Good Day,

Try change privilage leel to 15 and test, it should work..!

Thank you.

I have already done that but still no use

Good Day,

I created a policy using the following configuration settings: -

Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles

I then reference the shell profile in the following menu: -

Access Policies > Access Services > Default Device Admin > Authorization

From here if you select Rule 1 for editing you can change the Identity Group (The ID group is the same as that configured under the user you added). Also within Rule 1 you can specify the "shell Profile" that you want to use.

Also do not forget to add the configuration you need on your network device, I have the following configuration: -

aaa new-model

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+

It should be worth noting that under the common task tab within the shell profile, I can successfully login as the user that I have added with the default privilege being set to "not in use" (if this is set to 15 - when the user logs in they will be taken directly into exec privilege mode without having to enter the "enable" command) and the maximum privilege set to 15. If maximum privilege is set to anything less than 15, I cannot get in to exec privilege mode (enable mode).

Further to this you can also add command sets rules, for example, I have blocked the user from being able to enter the "show clock" command. This can be done by adding the rules you want to permit/deny in Policy Elements -> Authorization and Permissions -> Device Administration -> Command Sets and again like the shell referencing the command set you have created in Access Policies > Access Services > Default Device Admin > Authorization, with this you would also need to add the following commands on your network device: -

aaa authorization commands 1 default group tacacs+ if-authenticated none

This all seems to work for me, but I still have a way to go with the testing and trying to understand exactly what it is that I am doing.

I am using ACS 5.1. Hope this helps.

Thank you.

shailesh.pawar
Level 1
Level 1

Hi all,

Can anyone please tell me about installation procees of TACACS on windows ?

What TACACS actually do ?

Also please give me information about how to configure and use tacacs.

Thanks in advance..