Re: AAA using TACACS+ on ACS with Enable Password

Craddockc · ‎05-01-2018

Community,

We are using ACS 5.1 for TACACS+ (Old I know!) authentication on our Cisco devices. Most of the devices are IOS devices but we do have a few NX-OS devices as well. I am able to successfully authenticate to each device via SSH using TACACS+ but I am not sure how to enforce the use of the enable password after successfully authenticating with TACACS+. When I authenticate to the device using my TACACS+ username and password, it dumps me into Global Config mode. How do I enforce the use of the enable password after authenticating via TACACS+ before being allowed into global config mode? Are there changes I need to make in the ACS? Switches? Both?

Thanks.

johnd2310 · ‎05-01-2018

Hi,

What is the configuration of shell profile in acs for device administration? It is probably set to assign privilege 15. Set this to a lower privilege like 1 and configure aaa authentication enable in the switch.

Thanks

John

**Please rate posts you find helpful**

Craddockc · ‎05-02-2018

JohnD,

Thanks for the reply. I managed to get all the IOS devices to enforce the enable password. I did this by removing the "privilege level 15" command from the VTY lines. However, Im having trouble enforcing the enable password on the NX-OS devices. Ive used the "feature privilege" command on the device and created an enable password. However, the device still dumps me into global config mode. Ill look at the ACS and see what priv level its passing to the device. Any ideas on what else I have to do on the NX-OS device to enforce the enable password?

Thanks.