07-09-2014 03:28 AM - edited 03-04-2019 11:18 PM
Hi,
I've configured aaa TACACS in my router, the problem is when I do ssh to the router it is not accepting ACS password but logging in using local password.
Also I can go to enable mode using ACS password. Please help in this
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common
07-09-2014 04:07 AM
Can you please post your vty configuration?
07-09-2014 03:11 PM
What is the output of show tacacs?
When the original poster says that he is logging in to user mode using the local password I am not clear whether he is talking about a locally configured used name and password or is talking about the line password. Perhaps we can get some clarification?
HTH
Rick
07-10-2014 05:26 AM
Hi,
There is no local password configured in router, I think it is taking from ACS itself, but different password. Is there anything to be changed in ACS for this?
Here is the output of sh tacacs
Tacacs+ Server - public : x.x.x.x
Socket opens: 185627
Socket closes: 106004
Socket aborts: 0
Socket errors: 5129
Socket Timeouts: 13
Failed Connect Attempts: 15
Total Packets Sent: 270398
Total Packets Recv: 269649
Tacacs+ Server - public : x.x.x.x
Socket opens: 914
Socket closes: 560
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 1400
Total Packets Recv: 1398
08-11-2014 07:39 AM
After reading a little about this it looks like you have users enter user exec mode by default and after typing "enable" then entering the TACACS+ password you probably get denied. If this is the case you are kind of left to your own devices. I'll provide you some information and let you determine the best course.
R1(config-line#) privilege level [0-15]
This line sets the privilege level of users that are logging in via SSH or other teleterminal services.
Here is an excerpt from the documentation for tac_plus provided at http://www.shrubbery.net/tac_plus/
CONFIGURING ENABLE PASSWORDS
----------------------------
The default privilege level for an ordinary user on the NAS is usually
1. When a user enables, she can reset this level to a value between 0
and 15 by using the NAS "enable" command. If she doesn't specify a
level, the default level she enables to is 15.
You can enable via tacacs+ e.g. by configuring on the NAS:
aaa authentication enable default tacacs+
then whenever you attempt to enable, an authentication request is sent
with the special username $enab<n>$ where <n> is the privilege level
you are attempting to enable to.
(Note: in order to be compatible with earlier versions of tacacs, when
the requested enable level is 15, the daemon will also try the
username $enable$ before trying username $enab15$).
For example, with the above declaration, in order to enable on the
NAS, you need a user declaration like this one, on the daemon:
user = $enab15$ {
login = cleartext "the enable password for level 15"
}
Note: Be aware that this does have the side effect that you now have a
user named $enab15$ who can then login to your NAS if she knows the
enable password.
Here is a similar declaration allowing users to enable to level 4:
user = $enab4$ {
login = des bsoF4OivQCY8Q
}
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide