cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
479
Views
0
Helpful
4
Replies

Using ACS v3.3 login sends me directly to enable

chang.hyo
Level 1
Level 1

I'm using ACS v3.3 to authenticate my network devices. When I log into the managed devices, it takes me directly to enable mode. I looked through all the config options and can't seem to figure out why it would do this. Has anyone seem this before?

4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

That is due to exec authorization. Remove the priv 15 for that user

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Uncheck "Privilege level" and clear "15" in the adjacent field

Or on aaa-client remove

aaa authorization exec default group tacacs+ if-authenticated

by

no aaa authorization exec default group tacacs+ if-authenticated

Regards,

~JG

Do rate helpful posts

That works partly. Now I get the regular prompt. However, i can get in without a password. As long as my userid is valid, it will let me in with any password.

Thanks for your feedback.

Do you have this command,

aaa authentication login default group tacacs local

Please share your aaa config from router.

Regards,

~JG

Do rate helpful posts

Here is my config.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login console enable

aaa authentication login no_tacacs line

aaa authentication enable default group tacacs+ enable

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+