Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3233
Views
35
Helpful
6
Replies

User privilege when authenticatio tacacs login

Go to solution
Questions
Level 1
Level 1

‎09-15-2021 05:49 PM

When I login to the console,

I can login,However,

I can login to the user mode.

After that, the enable mode cannot login to the enable password.

 

but login with SSH, I will be logged in enable mode.

 

console > login > user mode( switch> ) > enable password not used

ssh > login > enable mode( switch# ) > That's normal

 

 

configuration

aaa group server tacacs+ test
 server-private 0.0.0.0 timeout 1 key 7 000000000000000
 
 aaa authentication login default group test local
 aaa authentication login Console local
 aaa authentication enable default group test line
 aaa authorization console
 aaa authorization exec default group test local
 aaa authorization exec Console local
 aaa authorization commands 0 Console none
 aaa authorization commands 1 Console none
 aaa authorization commands 8 default group test local if-authenticated
 aaa authorization commands 15 default group test local if-authenticated
 aaa authorization commands 15 Console none
 aaa accounting exec default start-stop group test
 aaa accounting commands 8 default start-stop group test

 aaa accounting commands 15 default start-stop group test

 

line con 0
 exec-timeout 5 0 
 authorization commands 0 Console 
 authorization commands 1 Console
 authorization commands 15 Console
 authorization exec Console
 logging synchronous
 login authentication Console
 stopbits 1
line vty 0 4
 access-class 50 in vrf-also
 password 7 08325F4D1A0E0C031103
 logging synchronous
 transport input ssh

 

Although the same applies to other switches.

Only this switch operates abnormally.

I don't know because I've never used tacacs,

I have to set privilege in tacacs?

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-16-2021 07:52 AM

You will need to send default priv level 15 from ISE. Maybe possible you have different policy for this specific device on ISE. Other possibility is the work 'Console'. I would check to see if use of the word are identical between this device and the others working as expected especially around case sensitivity as lowercase 'console' is a special keyword with certain commands.

View solution in original post

6 Replies 6

Go to solution
Amine ZAKARIA
Spotlight
Spotlight

‎09-16-2021 02:16 AM

Hello @Questions ,

 

Because you have enable set to tacacs first then line "aaa authentication enable default group test line"

 

Try to create the local user with priviliege 15 and test "username You_User privilege 15 secret Your_Pass"

That should takes you directly to # 

 

Go to solution
Questions
Level 1
Level 1
In response to Amine ZAKARIA

‎09-16-2021 06:51 AM

That part is weird.
I applied

"line vty"

"authorization exc Console"

"login authentication Console"

but I log in using tacacs.

Go to solution
Dustin Anderson
VIP
VIP

‎09-16-2021 06:57 AM

So, we don't call out priv for console, we have everything default and tacacs works for SSH and console the same. Here is part of our default config we use on switches.

 

line con 0
length 54
logging synchronous
login authentication default
exec-timeout 15
authorization exec default
logging console 2

line vty 0 15
length 54
logging synchronous
exec-timeout 15
transport input ssh
access-class 10 in vrf-also

 

aaa authentication login default group ISETacacs local
aaa authorization exec default group ISETacacs local if-authenticated
aaa authorization network default group ISERadius local
aaa authorization config-commands
aaa authentication dot1x default group ISERadius
aaa accounting dot1x default start-stop group ISERadius
aaa accounting update newinfo periodic 2880
aaa session-id common
aaa authorization console
aaa accounting update periodic 5
aaa accounting system default start-stop group ISETacacs
aaa authorization commands 1 default group ISETacacs local
aaa authorization commands 8 default group ISETacacs local
aaa authorization commands 15 default group ISETacacs local
aaa accounting commands 1 default start-stop group ISETacacs
aaa accounting commands 8 default start-stop group ISETacacs
aaa accounting commands 15 default start-stop group ISETacacs

 

In ISE, we use the Default Privilege in the profile to set their level.

Go to solution
Questions
Level 1
Level 1
In response to Dustin Anderson

‎09-16-2021 07:12 AM

I have another question

There are about 30ea switcht applied with the same config, but only this switch has a problem.
If this is the case, is there a problem with setting up the tacacs server?

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to Questions

‎09-17-2021 12:37 AM

Hi @Questions,

Next to what @howon already mentioned, I would also check software version on this switch and compare it with working ones. I've seen in the past that some software versions misbehave with TACACS+ (and with RADIUS also). Should you find it different, try with an upgrade and repeat tests.

BR,

Milos

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-16-2021 07:52 AM

You will need to send default priv level 15 from ISE. Maybe possible you have different policy for this specific device on ISE. Other possibility is the work 'Console'. I would check to see if use of the word are identical between this device and the others working as expected especially around case sensitivity as lowercase 'console' is a special keyword with certain commands.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents