Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1592
Views
10
Helpful
4
Replies

Telnet brings me only to "User Mode" not to Privilegded

Go to solution
bpotschien
Level 1
Level 1

‎04-27-2004 12:46 AM - edited ‎03-10-2019 07:46 AM

Hi there,

im testing ACS 3.2 with a 2600 Router, IOS 12.3 (6). When I telnet to the router user/pw appears. I can login, but I only get to the user mode.

I wnat to login with user/pw and get to the privilegded mode automatically. Any ideas?? Is this a ACS or router problem?

Here is the config:

aaa authentication login default group tacacs+ line

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa session-id common

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key xxxx

line vty 0 4

login authentication default

Thank you!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎04-27-2004 04:04 PM

You have exec authorization which is fine, you just need to define on the ACS server the privilege level to put the user into.

Under the user or group config on the ACS server, in the TACACS+ Settings section, check both the Shell (exec) box and the Privilege Level box, and set the level to 15. You should then go straight into exec mode on the router.

Note that if you don't see the Shell (Exec) TACACS section under the User config, go under Interface Configuration - TACACS (Cisco IOS) menu and check the User column next to Shell (exec).

View solution in original post

4 Replies 4

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎04-27-2004 04:04 PM

You have exec authorization which is fine, you just need to define on the ACS server the privilege level to put the user into.

Under the user or group config on the ACS server, in the TACACS+ Settings section, check both the Shell (exec) box and the Privilege Level box, and set the level to 15. You should then go straight into exec mode on the router.

Note that if you don't see the Shell (Exec) TACACS section under the User config, go under Interface Configuration - TACACS (Cisco IOS) menu and check the User column next to Shell (exec).

Go to solution
marl.beynon
Level 1
Level 1
In response to gfullage

‎04-29-2004 06:34 AM

This is exactly what i have been struggling to get working also. I am a new user of ACS and just trying to get used to it. Your post has been a great help and the login is working perfectly now over telnet.

Any reason why this doesn't work over the console? i am testing on a 1601.

Thanks for all your help

0 Helpful

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to marl.beynon

‎04-29-2004 03:57 PM

Authorization on the console port is turned off by default, even if you have it turned on using the standard "aaa authorization ..." command. This was done on purpose cause too many people locked themselves out of their routers when configuring authorization, and we wanted the console to always be available as a last resort to get in. We figured that if a hacker has access to your console port, you have a lot more to worry about than them logging into your router.

If you really, really, really want to enable authorization on the console port, first make 100% sure it's all working correctly on the VTY ports, then add the hidden command:

aaa authorization console

and it should start working.

Go to solution
bpotschien
Level 1
Level 1
In response to gfullage

‎05-03-2004 04:32 AM

Hi,

thank you for your comment. This is the solution!

0 Helpful
Customers Also Viewed These Support Documents