cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30410
Views
45
Helpful
9
Replies

why do we need aaa authentication enable

susim
Level 3
Level 3

Hi all 

 

Why do we need the  " aaa authentication enable default group tacacs+ enable" . Is " aaa authentication login default group tacacs+ enable" 

is not enough ? 

 

 aaa authentication login default group tacacs+ enable
 aaa authentication enable default group tacacs+ enable

 

Thanks 

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

aaa authentication login default group tacacs+ enable > This command is required for the login authentication when you very first time get prompt to enter username/password defined on the tacacs server.

username: tacacs username

Password: tacacs password

aaa authentication enable default group tacacs+ enable > This command is required for the enable authentication when you need to enter the enable password defined on the tacacs server.

> enable

password: tacacs enable password

 

In both the commands you've defined enable keyword in the last as a fallback method. In case tacacs goes down you'll be able to authenticate with the locally defined enable password.

 

The only thing that you can replace in the first command is enable with the local as a fallback method.

aaa authentication login default group tacacs+ local

 

Note: Plz ensure that you have a local username/password created with privilege 15 and enable secret password.

 

Regards,

Jatin Katyal

**Do rate helpful posts**

 

~Jatin

View solution in original post

9 Replies 9

Jatin Katyal
Cisco Employee
Cisco Employee

aaa authentication login default group tacacs+ enable > This command is required for the login authentication when you very first time get prompt to enter username/password defined on the tacacs server.

username: tacacs username

Password: tacacs password

aaa authentication enable default group tacacs+ enable > This command is required for the enable authentication when you need to enter the enable password defined on the tacacs server.

> enable

password: tacacs enable password

 

In both the commands you've defined enable keyword in the last as a fallback method. In case tacacs goes down you'll be able to authenticate with the locally defined enable password.

 

The only thing that you can replace in the first command is enable with the local as a fallback method.

aaa authentication login default group tacacs+ local

 

Note: Plz ensure that you have a local username/password created with privilege 15 and enable secret password.

 

Regards,

Jatin Katyal

**Do rate helpful posts**

 

~Jatin

Jatin has correctly explained and kindly check the link for aaa command explanination

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/command/reference/cmd_ref/a1_72.html

"aaa authentication login default group tacacs+ enable" ensure that whenever any user try to access any device he should get login prompt to authenticate its user credential via TACACS server or if server is down then enable password is used for user authentication,  as Jatin suggested use local as a fallback instead of enable.

But with this command only user credentials are validated and user even if he have a privilege level of 15, will get privilege level 1. If enable password for level 15 is not locally configured on router, user can not go in to enable mode.

aaa authentication enable default group tacacs+ enable is used to determine if a user can access the privileged command level.

If you also want your users to authenticate through TAC+ in order to get into enable mode, make sure your console port session is still active and add this command to the router:


!--- For enable mode, list 'default' looks to TAC+ 
  !--- then enable password if TAC+ does not run.

  aaa authentication enable default tacacs+ enable

susim
Level 3
Level 3

 

Hi jatin ,

Just for clariffication ,  if i add  " aaa authentication enable default group tacacs+ enable"   , once authenticated  device will go directly to enable mode . 

 

As you said  

aaa authentication login default group tacacs+ local

in case tacacs failed  user has to enter local username and password . once it is authenticated  

" aaa authentication enable default group tacacs+ enable " will be executed and the user  have to enter the enable (local db )  secret .

 

Please correct me if  iam wrong

 

 


aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+

 


In order to land directly to enable mode (#), you don't need the below listed command.

aaa authentication enable default group tacacs+ enable

We need the above command when you want to go on enable mode after entering the enable password.


Instead use this only and push shell profile privilege level 15 from the tacacs server. That would allow you to land directly on the enable mode.

aaa authorization exec default group tacacs+ local


User only need to enter the enable password only in absence of the above command.

 

Regards,

Jatin Katyal

**Do rate helpful posts **

~Jatin

Supportsib,

Did that answer your question or you need more clarification?

 

~BR

Jatin Katyal

**Do rate helpful posts**

~Jatin

Hi Jatin 

Thank you for your help.

Kindly explain  what  is " aaa authentication enable default group tacacs+ enable".

 

Kindly explain in what situtation i would use the above statement 

Thanks 

 

 

 

aaa authentication enable default group tacacs+ enable
Here we are saying that for enable mode (enable password) we want to use the default group tacacs+. Doing this it first tries to contact a TACACS+ server. If no server can be found, AAA tries to use the enable password created locally on the device (switch). If there will be no enable password configured, you'll see an error "password required but none set".

We should use this command if we want the end user to enter enable password before he gets access to exec mode. This is actually add another security check for the user. In case your tacacs is down so you should have some back dorr entry and that's a reason we have ENABLE as a keyword at the last of the command.

Hope this helps.

Regards,
Jatin Katyal
*Do rate helpful posts*

~Jatin

Josh732532
Level 1
Level 1

Lol "solved" - OK if you say so. Would love to know the actual answer.