05-26-2009 01:17 PM - edited 03-10-2019 04:30 PM
I'm using ACS v3.3 to authenticate my network devices. When I log into the managed devices, it takes me directly to enable mode. I looked through all the config options and can't seem to figure out why it would do this. Has anyone seem this before?
05-26-2009 04:45 PM
That is due to exec authorization. Remove the priv 15 for that user
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Uncheck "Privilege level" and clear "15" in the adjacent field
Or on aaa-client remove
aaa authorization exec default group tacacs+ if-authenticated
by
no aaa authorization exec default group tacacs+ if-authenticated
Regards,
~JG
Do rate helpful posts
05-27-2009 05:46 AM
That works partly. Now I get the regular prompt. However, i can get in without a password. As long as my userid is valid, it will let me in with any password.
Thanks for your feedback.
05-27-2009 06:53 AM
Do you have this command,
aaa authentication login default group tacacs local
Please share your aaa config from router.
Regards,
~JG
Do rate helpful posts
05-27-2009 07:00 AM
Here is my config.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console enable
aaa authentication login no_tacacs line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide