Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4211
Views
15
Helpful
7
Replies

Use AD account for auth with separate enable password stored on ACS

Go to solution
aaron.g.fletcher
Level 1
Level 1

‎05-23-2013 07:40 AM - edited ‎03-10-2019 08:27 PM

Hello,

I am running ACS 5.3 and have setup an external identity store to match on active directory groups to allow authentication to my infrastructure devices.  I would also like to have the enable password setup within ACS so I can change it on ACS instead of having to touch every single device.

I have been searching around and find that I can use the following command:

aaa authentication enable default group tacacs+ enable

My question is how do I setup a unique enable password within ACS and still be able to match on the initial login with my AD Account?  I have been unable to locate any documentation specific to 5.x that shows how to do this.  Is it even possible?

Thanks,

Aaron

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to aaron.g.fletcher

‎05-23-2013 12:56 PM

aaa authentication login default group tacacs+ local

The above command prompt you to enter the AD username and password. In case tacacs goes down, it will accept the local username / password defined on the IOS device due to the presence of local keyword at last as a failover method.

username: AD-username

password: AD-password

aaa authentication enable default group tacacs+ enable

The above command will ask you to enter the enable password the one you used above. In case tacacs is down and no communication with AD. It will accept the enable password defined on the IOS device due to the presence of enable keyword at last as a failover method.

Let me know if you have any questions.

Jatin Katyal

- Do rate helpful posts -

~Jatin

View solution in original post

Go to solution
jrabinow
Level 7
Level 7
In response to aaron.g.fletcher

‎05-26-2013 05:19 AM

Not sure if this is what you are looking but it is possible to define a condition in the device admin authentication policy so that will be directed to a different identity store if is an enable request

I think the attribute to be used in the condition in the authenticaiton policy is the "Service" attribute in the "TACACS+" dictionary. Can compare value for this attribute against "Enable" value that is presented in the list of enumerated attributes

View solution in original post

7 Replies 7

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-23-2013 08:19 AM

The command you mentioned would server the same purpose. If you're using AD then your enable password would be same as login password.

Even if you create the same user on ACS internal database and select the external database to check password against it. The enable password field will be disabled.

You may read more about it.

www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1127594

Jatin Katyal
- Do rate helpful posts -

~Jatin

Go to solution
aaron.g.fletcher
Level 1
Level 1
In response to Jatin Katyal

‎05-23-2013 09:45 AM

@Jatin, I appreciate your quick response.

Ok.  I think I am starting to understand it.  The aaa authentication enable default group tacacs+ enable command will do either:

Login with AD credentials to user exec mode.  Then type enable, then use the same AD credentials to get to priv exec mode, or

Login with a Local ACS user, then type enable (with the enable password setup on the local ACS account)

But can not do the following:

Login with AD credentials to user exec mode, then have a single enable password (like the local enable password, but stored in ACS local user database) to get you into priv exec mode.

It is sounding like I can't do the last scenario. 

My idea of thinking that way is that we have a central enable password that can be changed in one place, instead of touching 500+ devices individually when that password needs to be changed.

Thanks,

Aaron

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to aaron.g.fletcher

‎05-23-2013 12:56 PM

aaa authentication login default group tacacs+ local

The above command prompt you to enter the AD username and password. In case tacacs goes down, it will accept the local username / password defined on the IOS device due to the presence of local keyword at last as a failover method.

username: AD-username

password: AD-password

aaa authentication enable default group tacacs+ enable

The above command will ask you to enter the enable password the one you used above. In case tacacs is down and no communication with AD. It will accept the enable password defined on the IOS device due to the presence of enable keyword at last as a failover method.

Let me know if you have any questions.

Jatin Katyal

- Do rate helpful posts -

~Jatin

Go to solution
kumarraj1
Level 1
Level 1
In response to Jatin Katyal

‎05-12-2016 06:46 AM

Hi Jatin,

I have run the command aaa authentication enable default group tacacs+ enable and saved on switch. but still not able to login with my AD account.

on other network switch on same network i can login with AD.

please your advise.

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to aaron.g.fletcher

‎05-26-2013 05:19 AM

Not sure if this is what you are looking but it is possible to define a condition in the device admin authentication policy so that will be directed to a different identity store if is an enable request

I think the attribute to be used in the condition in the authenticaiton policy is the "Service" attribute in the "TACACS+" dictionary. Can compare value for this attribute against "Enable" value that is presented in the list of enumerated attributes

Go to solution
aaron.g.fletcher
Level 1
Level 1

‎06-06-2013 02:08 PM

Thank you to all that have responded to this post. 

I took bits from each of the posts to engineer a way to allow for a locally stored enable password within ACS while using AD credentials to initally log into the device.

I created local users (in ACS) for each user that would need to have enable access to the device.  I then created a rule in my identity section of the Access policy for look for

(TACACS+:Authen-Type match ASCII And (TACACS+:Service match Enable And TACACS+:Action match Login)), then pointed it to the internal users identity source that would match on the AD account name.  Anything else will default to my external AD identity source.

Again, thank you for your responses. 

Aaron

0 Helpful

Go to solution
ahmad.ramzee
Level 1
Level 1
In response to aaron.g.fletcher

‎11-20-2014 12:40 AM

Aaron,

 

Now you are able to login to any device using AD credentials with enable password configure manually in ACS?

 

You mention that you created a local user in ACS, does the local username is same with AD username? And the local user password where did you pointed to, internal identity or external identity?

 

I also face the same issue. Hope can get a better view from your side.

 

Thanks.

 

Ramzee

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents