Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
772
Views
10
Helpful
6
Replies

The Need for Enable Password

Go to solution
Patrick McHenry
Level 3
Level 3

‎11-19-2012 04:35 AM - edited ‎03-10-2019 07:48 PM

Hi,

If all users that have acces to the network equipment will be given level 15, is there any reason to have an enable password?

Just seems like another step to authenticate - and if we are using the same passowrd for enable that we are for the login, I don't see the point.

Thanks, Pat.    

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mauzamor
Level 1
Level 1
In response to Patrick McHenry

‎11-19-2012 08:08 AM

That's the expected behavior, if you want to change this behavior then you are missing one command:

aaa authorization exec default group tacacs+ local

Use this command and let me know how it goes.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
mauzamor
Level 1
Level 1

‎11-19-2012 06:40 AM

Hi Patrick,

The enable password in this scenario may work as a fallback method, but is up to you to decide this. In case that you want to skip the enable password prompt you can use the command:

aaa authorization exec default group tacacs+ local

This command will check the privilege level of each user and will put him into privilege mode right after the credentials have been checked.

This feature only works for IOS devices (the ASA or PIX doesn't have this feature)

Let me know if it helps.

Go to solution
Patrick McHenry
Level 3
Level 3
In response to mauzamor

‎11-19-2012 06:56 AM

Thanks Mauicio,

This is the config. We are trying to authenticate via tacacs that is configured to query AD. And, it is working great. I just want to make it so we can go directly into priv mode after logging in with username and password. Also, the username and password prompts aren't taking. I still get the login promt.

aaa new-model

!

aaa authentication password-prompt Password:

aaa authentication username-prompt Username:

aaa authentication login default group tacacs+ local

aaa authentication login con group tacacs+ local

aaa authentication enable default group tacacs+ enable

!

tacacs-server host 10.10.40.50 key 7 XXXXXXXXXXXXXXX

!

enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX

!

line con 0

login authentication con

no modem enable

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

line 3

no exec

line vty 0 4

length 0

transport input ssh

!

Thanks again.

0 Helpful

Go to solution
mauzamor
Level 1
Level 1
In response to Patrick McHenry

‎11-19-2012 08:08 AM

That's the expected behavior, if you want to change this behavior then you are missing one command:

aaa authorization exec default group tacacs+ local

Use this command and let me know how it goes.

0 Helpful

Go to solution
Patrick McHenry
Level 3
Level 3
In response to mauzamor

‎11-19-2012 10:51 AM

Thanks, Mauricio - it worked.

0 Helpful

Go to solution
mauzamor
Level 1
Level 1
In response to Patrick McHenry

‎11-19-2012 10:55 AM

Patrick,

Excellent news, have a nice day.

Go to solution
Patrick McHenry
Level 3
Level 3
In response to mauzamor

‎11-19-2012 11:08 AM

Can you think of any reason that my prompt isn't changing?

It still says login as: Then, password:  instead of Username: then, Password:.

Thanks, pat.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents