11-19-2012 04:35 AM - edited 03-10-2019 07:48 PM
Hi,
If all users that have acces to the network equipment will be given level 15, is there any reason to have an enable password?
Just seems like another step to authenticate - and if we are using the same passowrd for enable that we are for the login, I don't see the point.
Thanks, Pat.
Solved! Go to Solution.
11-19-2012 08:08 AM
That's the expected behavior, if you want to change this behavior then you are missing one command:
aaa authorization exec default group tacacs+ local
Use this command and let me know how it goes.
11-19-2012 06:40 AM
Hi Patrick,
The enable password in this scenario may work as a fallback method, but is up to you to decide this. In case that you want to skip the enable password prompt you can use the command:
aaa authorization exec default group tacacs+ local
This command will check the privilege level of each user and will put him into privilege mode right after the credentials have been checked.
This feature only works for IOS devices (the ASA or PIX doesn't have this feature)
Let me know if it helps.
11-19-2012 06:56 AM
Thanks Mauicio,
This is the config. We are trying to authenticate via tacacs that is configured to query AD. And, it is working great. I just want to make it so we can go directly into priv mode after logging in with username and password. Also, the username and password prompts aren't taking. I still get the login promt.
aaa new-model
!
aaa authentication password-prompt Password:
aaa authentication username-prompt Username:
aaa authentication login default group tacacs+ local
aaa authentication login con group tacacs+ local
aaa authentication enable default group tacacs+ enable
!
tacacs-server host 10.10.40.50 key 7 XXXXXXXXXXXXXXX
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
!
line con 0
login authentication con
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line 3
no exec
line vty 0 4
length 0
transport input ssh
!
Thanks again.
11-19-2012 08:08 AM
That's the expected behavior, if you want to change this behavior then you are missing one command:
aaa authorization exec default group tacacs+ local
Use this command and let me know how it goes.
11-19-2012 10:51 AM
Thanks, Mauricio - it worked.
11-19-2012 10:55 AM
Patrick,
Excellent news, have a nice day.
11-19-2012 11:08 AM
Can you think of any reason that my prompt isn't changing?
It still says login as: Then, password: instead of Username: then, Password:.
Thanks, pat.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide