Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1965
Views
15
Helpful
5
Replies

TACACS+ Telnet login authentication, local enable passwords.

aecarlin
Level 1
Level 1

‎11-11-2002 05:34 AM - edited ‎02-21-2020 10:05 AM

I've managed to configure TACACS+ authentication for telnet sessions to some network devices and it works great. The only problem is that you when you switch to enable mode you need to specify the local enable password.

Is there a way to configure a device so that once a user is authenticated via tacacs+, they will no longer need to provide any more passwords?

Cheers

Labels:
0 Helpful
5 Replies 5

4brown
Level 1
Level 1

‎11-11-2002 06:21 AM

Yes, use:

aaa authorization exec default tacacs+

and assign the user/group privilege level 15

aecarlin
Level 1
Level 1
In response to 4brown

‎11-11-2002 07:53 AM

I've added that into the config on the switch, now I cannot get telnet access, just get 'authorization failed' message. I can still gain access through the console though. What has happened? Here's the current config:

aaa new-model

aaa authentication login default group tacacs+

aaa authorization exec default group tacacs+

aaa authorization network default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

enable secret 5 $1$DC0B******************

enable password *******************

If I take out the line "aaa authorization exec default group tacacs+", I can then telnet into the box again.

Here's the debug info for aaa authorization when that line is added:

18:22:29: AAA: parse name=tty1 idb type=-1 tty=-1

18:22:29: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 chann

el=0

18:22:29: AAA/MEMORY: create_user (0x80E58080) user='' ruser='' port='tty1' rem_

addr='172.17.4.10' authen_type=ASCII service=LOGIN priv=1

18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): Port='tty1' list='' service=EXEC

18:22:43: AAA/AUTHOR/EXEC: tty1 (2173575078) user='carlina'

18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): send AV service=shell

18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): send AV cmd*

18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): found list "default"

18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): Method=tacacs+ (tacacs+)

18:22:43: AAA/AUTHOR/TAC+: (2173575078): user=carlina

18:22:43: AAA/AUTHOR/TAC+: (2173575078): send AV service=shell

18:22:43: AAA/AUTHOR/TAC+: (2173575078): send AV cmd*

18:22:44: AAA/AUTHOR (2173575078): Post authorization status = FAIL

18:22:44: AAA/AUTHOR/EXEC: Authorization FAILED

18:22:46: AAA/MEMORY: free_user (0x80E58080) user='carlina' ruser='' port='tty1'

rem_addr='172.17.4.10' authen_type=ASCII service=LOGIN priv=1

Thanks for any help you could provide.

0 Helpful

4brown
Level 1
Level 1
In response to aecarlin

‎11-11-2002 07:57 AM

You need the service=shell AVP

Check out:

http://www.cisco.com/warp/public/480/PRIV.html

aecarlin
Level 1
Level 1
In response to 4brown

‎11-11-2002 08:50 AM

Excellent, thanks for the info, now managed to get this working as I wanted it.

So if I have a bunch of admins I want to assign level 15 access, I can just add them into a appropriately configured user group on the AAA server, yes?

0 Helpful

4brown
Level 1
Level 1
In response to aecarlin

‎11-11-2002 04:49 PM

You got it, just assign priv 15 to the group.

Customers Also Viewed These Support Documents