Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1722
Views
0
Helpful
3
Replies

TACACS+ force enable secret

Go to solution
musystec
Level 1
Level 1

‎05-08-2019 01:46 AM

Dear Community

 

We are using tacacs+ for aaa purposes. Currently each user has to submit their own username and password to connect to our switches. Once they are authenticated, they will have immediately access to the enable prompt.

 

Now we would like to force our users to re-enter their enable password again to get access to the enable prompt.

 

Is there any possible way to get this working?

 

Our tacacs+ configuration on the switches are as following:

 

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
service password-encryption
ip tacacs source-interface Vlan1
tacacs-server host IP_OF_TACPLUS_SERVER single-connection key 0 cisco
tacacs-server directed-request

 

Thank you in advance for your help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to musystec

‎05-12-2019 12:01 AM

tac_plus is not a Cisco product and please either read its documentation or seek support in its user communities.

3.3 Authentication to tac_plus.conf might be of interest.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Aravind Ravichandran
Level 3
Level 3

‎05-08-2019 03:23 AM

Change the privilege in shell profile in AAA server as 

priv-lvl=1
max_priv_lvl=15

which will keep it in login mode by default.

-Aravind
0 Helpful

Go to solution
musystec
Level 1
Level 1
In response to Aravind Ravichandran

‎05-08-2019 05:41 AM

Hello Aravind

 

Thank you for your answer. We are using tac_plus as alternative. in tac_plus it's only possible to configure priv-lvl=1

 

I don't see the option max_priv_lvl=15

 

Is there any other way to configure it directly on the switch? Since this will be a test environment, it's only affecting one device.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to musystec

‎05-12-2019 12:01 AM

tac_plus is not a Cisco product and please either read its documentation or seek support in its user communities.

3.3 Authentication to tac_plus.conf might be of interest.

0 Helpful
Customers Also Viewed These Support Documents