05-01-2018 10:53 AM - edited 02-21-2020 10:54 AM
Community,
We are using ACS 5.1 for TACACS+ (Old I know!) authentication on our Cisco devices. Most of the devices are IOS devices but we do have a few NX-OS devices as well. I am able to successfully authenticate to each device via SSH using TACACS+ but I am not sure how to enforce the use of the enable password after successfully authenticating with TACACS+. When I authenticate to the device using my TACACS+ username and password, it dumps me into Global Config mode. How do I enforce the use of the enable password after authenticating via TACACS+ before being allowed into global config mode? Are there changes I need to make in the ACS? Switches? Both?
Thanks.
05-01-2018 05:19 PM
Hi,
What is the configuration of shell profile in acs for device administration? It is probably set to assign privilege 15. Set this to a lower privilege like 1 and configure aaa authentication enable in the switch.
Thanks
John
05-02-2018 01:10 PM
JohnD,
Thanks for the reply. I managed to get all the IOS devices to enforce the enable password. I did this by removing the "privilege level 15" command from the VTY lines. However, Im having trouble enforcing the enable password on the NX-OS devices. Ive used the "feature privilege" command on the device and created an enable password. However, the device still dumps me into global config mode. Ill look at the ACS and see what priv level its passing to the device. Any ideas on what else I have to do on the NX-OS device to enforce the enable password?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide