05-08-2019 01:46 AM
Dear Community
We are using tacacs+ for aaa purposes. Currently each user has to submit their own username and password to connect to our switches. Once they are authenticated, they will have immediately access to the enable prompt.
Now we would like to force our users to re-enter their enable password again to get access to the enable prompt.
Is there any possible way to get this working?
Our tacacs+ configuration on the switches are as following:
aaa new-model aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization config-commands aaa authorization commands 1 default group tacacs+ local if-authenticated aaa authorization commands 15 default group tacacs+ local if-authenticated aaa authorization exec default group tacacs+ local if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ service password-encryption ip tacacs source-interface Vlan1 tacacs-server host IP_OF_TACPLUS_SERVER single-connection key 0 cisco tacacs-server directed-request
Thank you in advance for your help.
Solved! Go to Solution.
05-12-2019 12:01 AM
tac_plus is not a Cisco product and please either read its documentation or seek support in its user communities.
3.3 Authentication to tac_plus.conf might be of interest.
05-08-2019 03:23 AM
Change the privilege in shell profile in AAA server as
priv-lvl=1
max_priv_lvl=15
which will keep it in login mode by default.
05-08-2019 05:41 AM
Hello Aravind
Thank you for your answer. We are using tac_plus as alternative. in tac_plus it's only possible to configure priv-lvl=1
I don't see the option max_priv_lvl=15
Is there any other way to configure it directly on the switch? Since this will be a test environment, it's only affecting one device.
05-12-2019 12:01 AM
tac_plus is not a Cisco product and please either read its documentation or seek support in its user communities.
3.3 Authentication to tac_plus.conf might be of interest.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide