01-29-2013 07:24 PM - edited 03-10-2019 08:01 PM
Hi all,
Can someone pls guide me how to configure authentication of enable password using acs 5.3. I have installed acs 5.3 and created user and gave relevant passwords. Following config is done on router
aaa new-model
aaa authentication login default group tacacs+ local
aaa authen enable default group tacacs+ enable
tacacs-server host x.x.x.x key xxxxx
Now when i telnet router, i can authenticate username/pass with acs5.3 but when i try to enter enable command and give password, it gives me error in authentication. Can someone guide me the process of configuring enable passwords
 
					
				
		
01-29-2013 10:12 PM
Hello Jonn,
Are you using same user passwrod for enable password? or you are using separate password?
What is the error message you see when you try to provide the enable password? What logs you see on the ACS?
Does the local enable password work after successfuly authentication via TACACS+?
Rating useful replies is more useful than saying "Thank you"
01-29-2013 11:20 PM
1) I am using seperate password for enable
2) When i type enable after successfully authenticating username/pass it gives "Error in authentication"
3) Logs show " 13029 Requested privilege level too high"
01-29-2013 11:23 PM
Good Day,
Try change privilage leel to 15 and test, it should work..!
Thank you.
01-29-2013 11:30 PM
I have already done that but still no use
01-29-2013 11:43 PM
Good Day,
I created a policy using the following configuration settings: -
Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
I then reference the shell profile in the following menu: -
Access Policies > Access Services > Default Device Admin > Authorization
From here if you select Rule 1 for editing you can change the Identity Group (The ID group is the same as that configured under the user you added). Also within Rule 1 you can specify the "shell Profile" that you want to use.
Also do not forget to add the configuration you need on your network device, I have the following configuration: -
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
It should be worth noting that under the common task tab within the shell profile, I can successfully login as the user that I have added with the default privilege being set to "not in use" (if this is set to 15 - when the user logs in they will be taken directly into exec privilege mode without having to enter the "enable" command) and the maximum privilege set to 15. If maximum privilege is set to anything less than 15, I cannot get in to exec privilege mode (enable mode).
Further to this you can also add command sets rules, for example, I have blocked the user from being able to enter the "show clock" command. This can be done by adding the rules you want to permit/deny in Policy Elements -> Authorization and Permissions -> Device Administration -> Command Sets and again like the shell referencing the command set you have created in Access Policies > Access Services > Default Device Admin > Authorization, with this you would also need to add the following commands on your network device: -
aaa authorization commands 1 default group tacacs+ if-authenticated none
This all seems to work for me, but I still have a way to go with the testing and trying to understand exactly what it is that I am doing.
I am using ACS 5.1. Hope this helps.
Thank you.
02-05-2013 02:21 AM
Hi all,
Can anyone please tell me about installation procees of TACACS on windows ?
What TACACS actually do ?
Also please give me information about how to configure and use tacacs.
Thanks in advance..
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide