Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
708
Views
5
Helpful
1
Replies

Cisco ACS 'enable' Authorization Requests AD Password

Go to solution
Mike Hendriks1
Level 1
Level 1

‎06-05-2018 12:05 PM - edited ‎02-21-2020 10:57 AM

Hi Everyone,

 

 

We have a subset of our infrastructure that uses shell profiles and command sets with ACS 5.x to authorize CLI users for different roles.  The way it works is that the user logs in with their AD credentials, and then when they type 'enable' they enter their AD password again to gain access to the privileged exec.

 

I'm attempting to assist another coworker to set this up for a different set of infrastructure, but I cannot for the life of me find the setting in ACS that forces it to work this way.  Our IOS configuration is as follows:

 

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization config-commands
aaa accounting commands 15 default start-stop group tacacs+

 

Can anyone assist?  Is it just the "aaa authorization commands <number> default group..." commands that configure it to work this way, or is there a setting in ACS itself?

 

Thanks in advance,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-05-2018 06:02 PM

Hi

Your question is to know which forces you to type in your enable password?
The line aaa authentication enable says it will ask enable pwd to tacacs and fallback to local enable pwd. Th line aaa authorization exec would push the user into privilege mode (if receives privilege 15) if you add the keyword if-authenticated.

The command you pointed out is to validate each commands you'll type in through tacacs server.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

1 Reply 1

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-05-2018 06:02 PM

Hi

Your question is to know which forces you to type in your enable password?
The line aaa authentication enable says it will ask enable pwd to tacacs and fallback to local enable pwd. Th line aaa authorization exec would push the user into privilege mode (if receives privilege 15) if you add the keyword if-authenticated.

The command you pointed out is to validate each commands you'll type in through tacacs server.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents