12-07-2007 11:03 PM - edited 03-10-2019 03:33 PM
Hi there,
After going through some topics and trying everything I could fine I am relaying on you all to help me further.
I have an Switch and have an AAA configured for login via ACS with AD account. All works fine via Telnet, but connected to the console, I always get to not enable prompt.
I have a local user name and password on the device itself. Which I can use to login through the telnet option, and it brings me straight into enable mode. But using this account with the console it brings me to priv level 1. When typing ENABLE I can specify the password that belongs to this local account but it is not excepted. Instead I get:
Username: admin
Password:
switch>ena
Password:
% Error in authentication.
switch>
Pasted below you can find my current config regarding the login methods:
aaa new-model
aaa authentication fail-message ^C
User Authentication has failed. If you are not an authorized user,
please disconnect immediately.
Any unauthorized access attempts will be investigated and will be
subject to prosecution under local laws and ordinances.
^C
aaa authentication login default group tacacs+ local
aaa authentication login console group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization commands 15 console group tacacs+ local
aaa authorization network default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
aaa session-id common
line con 0
login authentication console
stopbits 1
line vty 0 4
password 7 02115C0918030C71424A1A
line vty 5 15
password 7 0718791E5D0C1A55191618
!
Anybody any suggestions for me to try out?
12-08-2007 07:07 PM
Jorge
There are a couple of aspects of your situation which I am puzzled about. Your post talks about logging in and seems to indicate that you are logging in using a local account. But the config is quite clear that TACACS is the primary authentication method. Is the TACACS server running and is the router using TACACS?
If the TACACS server is running and is communicating with the router, I am guessing that the local user ID is also a user ID that is configured in TACACS. This would explain why authentication would work. Can you clarify this? And if this is the case I would guess that the user ID is not configured in TACACS to have enable mode access.
On the possibility that the router is not communicating with the TACACS server I would suggest that you try using the enable secret (or enable password - which ever you have configured) rather than the user password at the prompt for enable mode.
The other part of your question is more clear. Your question says that when you login through vty you go straight to enable mode but on the console you go to privilege level 1. This is intentional behavior on the router. Going straight into enable mode is a function of authorization (in addition to authentication). And by default Cisco does this for vty and does not do this for the console (the danger of locking yourself out of the router if something is misconfigured is significant). If you are confident of the configuration and want to go directly into enable mode on the console you can use this (hidden) command under line con 0:
aaa authorization console
HTH
Rick
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide