cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2102
Views
35
Helpful
6
Replies

User privilege when authenticatio tacacs login

Questions
Beginner
Beginner

When I login to the console,

I can login,However,

I can login to the user mode.

After that, the enable mode cannot login to the enable password.

 

but login with SSH, I will be logged in enable mode.

 

console > login > user mode( switch> ) > enable password not used

ssh > login > enable mode( switch# ) > That's normal

 

 

configuration

aaa group server tacacs+ test
 server-private 0.0.0.0 timeout 1 key 7 000000000000000
 
 aaa authentication login default group test local
 aaa authentication login Console local
 aaa authentication enable default group test line
 aaa authorization console
 aaa authorization exec default group test local
 aaa authorization exec Console local
 aaa authorization commands 0 Console none
 aaa authorization commands 1 Console none
 aaa authorization commands 8 default group test local if-authenticated
 aaa authorization commands 15 default group test local if-authenticated
 aaa authorization commands 15 Console none
 aaa accounting exec default start-stop group test
 aaa accounting commands 8 default start-stop group test

 aaa accounting commands 15 default start-stop group test

 

line con 0
 exec-timeout 5 0 
 authorization commands 0 Console 
 authorization commands 1 Console
 authorization commands 15 Console
 authorization exec Console
 logging synchronous
 login authentication Console
 stopbits 1
line vty 0 4
 access-class 50 in vrf-also
 password 7 08325F4D1A0E0C031103
 logging synchronous
 transport input ssh

 

Although the same applies to other switches.

Only this switch operates abnormally.

I don't know because I've never used tacacs,

I have to set privilege in tacacs?

 

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

You will need to send default priv level 15 from ISE. Maybe possible you have different policy for this specific device on ISE. Other possibility is the work 'Console'. I would check to see if use of the word are identical between this device and the others working as expected especially around case sensitivity as lowercase 'console' is a special keyword with certain commands.

View solution in original post

6 Replies 6

Amine ZAKARIA
Beginner
Beginner

Hello @Questions ,

 

Because you have enable set to tacacs first then line "aaa authentication enable default group test line"

 

Try to create the local user with priviliege 15 and test "username You_User privilege 15 secret Your_Pass"

That should takes you directly to # 

 

That part is weird.
I applied

"line vty"

"authorization exc Console"

"login authentication Console"

but I log in using tacacs.

Dustin Anderson
Contributor
Contributor

So, we don't call out priv for console, we have everything default and tacacs works for SSH and console the same. Here is part of our default config we use on switches.

 

line con 0
length 54
logging synchronous
login authentication default
exec-timeout 15
authorization exec default
logging console 2

line vty 0 15
length 54
logging synchronous
exec-timeout 15
transport input ssh
access-class 10 in vrf-also

 

aaa authentication login default group ISETacacs local
aaa authorization exec default group ISETacacs local if-authenticated
aaa authorization network default group ISERadius local
aaa authorization config-commands
aaa authentication dot1x default group ISERadius
aaa accounting dot1x default start-stop group ISERadius
aaa accounting update newinfo periodic 2880
aaa session-id common
aaa authorization console
aaa accounting update periodic 5
aaa accounting system default start-stop group ISETacacs
aaa authorization commands 1 default group ISETacacs local
aaa authorization commands 8 default group ISETacacs local
aaa authorization commands 15 default group ISETacacs local
aaa accounting commands 1 default start-stop group ISETacacs
aaa accounting commands 8 default start-stop group ISETacacs
aaa accounting commands 15 default start-stop group ISETacacs

 

In ISE, we use the Default Privilege in the profile to set their level.

I have another question

There are about 30ea switcht applied with the same config, but only this switch has a problem.
If this is the case, is there a problem with setting up the tacacs server?

Hi @Questions,

Next to what @howon already mentioned, I would also check software version on this switch and compare it with working ones. I've seen in the past that some software versions misbehave with TACACS+ (and with RADIUS also). Should you find it different, try with an upgrade and repeat tests.

BR,

Milos

howon
Cisco Employee
Cisco Employee

You will need to send default priv level 15 from ISE. Maybe possible you have different policy for this specific device on ISE. Other possibility is the work 'Console'. I would check to see if use of the word are identical between this device and the others working as expected especially around case sensitivity as lowercase 'console' is a special keyword with certain commands.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers