09-15-2021 05:49 PM
When I login to the console,
I can login,However,
I can login to the user mode.
After that, the enable mode cannot login to the enable password.
but login with SSH, I will be logged in enable mode.
console > login > user mode( switch> ) > enable password not used
ssh > login > enable mode( switch# ) > That's normal
configuration
aaa group server tacacs+ test
server-private 0.0.0.0 timeout 1 key 7 000000000000000
aaa authentication login default group test local
aaa authentication login Console local
aaa authentication enable default group test line
aaa authorization console
aaa authorization exec default group test local
aaa authorization exec Console local
aaa authorization commands 0 Console none
aaa authorization commands 1 Console none
aaa authorization commands 8 default group test local if-authenticated
aaa authorization commands 15 default group test local if-authenticated
aaa authorization commands 15 Console none
aaa accounting exec default start-stop group test
aaa accounting commands 8 default start-stop group test
aaa accounting commands 15 default start-stop group test
line con 0
exec-timeout 5 0
authorization commands 0 Console
authorization commands 1 Console
authorization commands 15 Console
authorization exec Console
logging synchronous
login authentication Console
stopbits 1
line vty 0 4
access-class 50 in vrf-also
password 7 08325F4D1A0E0C031103
logging synchronous
transport input ssh
Although the same applies to other switches.
Only this switch operates abnormally.
I don't know because I've never used tacacs,
I have to set privilege in tacacs?
Solved! Go to Solution.
09-16-2021 07:52 AM
You will need to send default priv level 15 from ISE. Maybe possible you have different policy for this specific device on ISE. Other possibility is the work 'Console'. I would check to see if use of the word are identical between this device and the others working as expected especially around case sensitivity as lowercase 'console' is a special keyword with certain commands.
09-16-2021 02:16 AM
Hello @Questions ,
Because you have enable set to tacacs first then line "aaa authentication enable default group test line"
Try to create the local user with priviliege 15 and test "username You_User privilege 15 secret Your_Pass"
That should takes you directly to #
09-16-2021 06:51 AM
That part is weird.
I applied
"line vty"
"authorization exc Console"
"login authentication Console"
but I log in using tacacs.
09-16-2021 06:57 AM
So, we don't call out priv for console, we have everything default and tacacs works for SSH and console the same. Here is part of our default config we use on switches.
line con 0
length 54
logging synchronous
login authentication default
exec-timeout 15
authorization exec default
logging console 2
line vty 0 15
length 54
logging synchronous
exec-timeout 15
transport input ssh
access-class 10 in vrf-also
aaa authentication login default group ISETacacs local
aaa authorization exec default group ISETacacs local if-authenticated
aaa authorization network default group ISERadius local
aaa authorization config-commands
aaa authentication dot1x default group ISERadius
aaa accounting dot1x default start-stop group ISERadius
aaa accounting update newinfo periodic 2880
aaa session-id common
aaa authorization console
aaa accounting update periodic 5
aaa accounting system default start-stop group ISETacacs
aaa authorization commands 1 default group ISETacacs local
aaa authorization commands 8 default group ISETacacs local
aaa authorization commands 15 default group ISETacacs local
aaa accounting commands 1 default start-stop group ISETacacs
aaa accounting commands 8 default start-stop group ISETacacs
aaa accounting commands 15 default start-stop group ISETacacs
In ISE, we use the Default Privilege in the profile to set their level.
09-16-2021 07:12 AM
I have another question
There are about 30ea switcht applied with the same config, but only this switch has a problem.
If this is the case, is there a problem with setting up the tacacs server?
09-17-2021 12:37 AM
Hi @Questions,
Next to what @howon already mentioned, I would also check software version on this switch and compare it with working ones. I've seen in the past that some software versions misbehave with TACACS+ (and with RADIUS also). Should you find it different, try with an upgrade and repeat tests.
BR,
Milos
09-16-2021 07:52 AM
You will need to send default priv level 15 from ISE. Maybe possible you have different policy for this specific device on ISE. Other possibility is the work 'Console'. I would check to see if use of the word are identical between this device and the others working as expected especially around case sensitivity as lowercase 'console' is a special keyword with certain commands.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide