Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
2. Enable password is not working (using the same user password configured in MS AD.
3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
Switch Tacacs Configuration
| aaa new-model |
| ! |
| aaa authentication login default none |
| aaa authentication login ACS group tacacs+ local |
| aaa authentication enable default group tacacs+ enable |
| aaa authorization exec ACS group tacacs+ local |
| aaa authorization commands 15 ACS group tacacs+ local |
| aaa accounting exec ACS start-stop group tacacs+ |
| aaa accounting commands 15 ACS start-stop group tacacs+ |
| aaa authorization console |
| ! |
| aaa session-id common |
| ! |
| tacacs-server host 10.X.Y.11 |
| tacacs-server timeout 20 |
| tacacs-server directed-request |
| tacacs-server key gacakey |
!
| line vty 0 4 |
| session-timeout 5 |
| access-class 5 in |
| exec-timeout 5 0 |
| login authentication ACS |
| authorization commands 15 ACS |
| authorization exec ACS |
| accounting commands 15 ACS |
| accounting exec ACS |
| logging synchronous |
This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
Regards,
