12-08-2010 10:38 PM - edited 03-04-2019 10:44 AM
Hi,
I have created a username and password with command username cisco privi 15 pass cisco. when i telnet to switch it ask me for enable secret password?????? though i have specified a privi level 15 to a user.Switch is authenticating with ACS and i have specified a privi 15 to a specific user on ACS.
The IOS is c2960-lanbasek9-mz.122-55.SE.
Thanks
12-08-2010 10:54 PM
Hi, i think you must issue this command
line vty 0 4
login local
Device will take local databace for authentication
12-08-2010 11:06 PM
Hello,
User are authenticating through aaa they are no authenticating through local database,
Thanks
12-09-2010 12:18 AM
aaa authentication login default local
12-09-2010 12:34 AM
Hi,
show us your aaa config: sh run | i aaa and sh run | i user as well as sh run | be line
Regards.
12-09-2010 01:12 AM
Hello,
The above command will use local database for authentication but i want to authenticate through ACS,
Thanks
12-09-2010 01:25 AM
aaa authentication login default group tacacs+ line enable
tacacs-server host
tacacs-server directed-request
12-09-2010 01:33 AM
Hello
SW1#sh run | i user
username cisco privilege 15 password 7 0526292704
aaa new-model
aaa authentication login rus group tacacs+ local
aaa authentication login console none
aaa session-id common
SW1#sh run | b line
line con 0
login authentication console
line vty 0 4
exec-timeout 30 0
password 7 04581E51577741
login authentication rus
line vty 5 15
exec-timeout 30 0
password 7 04581E51577741
login authentication rus
Thanks
12-09-2010 02:00 AM
Hi,
Can you add on vty line privilege level 15 command and then telnet again with debug aaa authentication .
Just to be sure it gets to tacacs+ and never hit local so the problem then lies on ACS.
Regards.
12-09-2010 02:13 AM
Hello,
I have applied the command and it is going directly to privilege mode, The telnet request is hitting to ACS.
But i did'nt understood, ur below words,
Just to be sure it gets to tacacs+ and never hit local so the problem then lies on ACS ??????
Can u explain me what was the problem?????
12-09-2010 02:24 AM
Hi,
Can you now confirm the user in ACS is privilege 15?
The command privilege level 15 on line vty normally will let any user telnetting whichever his privilege is directly in privileged mode without
having to configure an enable password.
But I've had the same problem once on a 1841 router where without putting this command it wouldn't work even with a local privilege 15 user.
Regards.
Alain
12-09-2010 02:40 AM
12-09-2010 04:41 AM
Hi,
Seems like you are using ACS appliance, I only used windows server ACS but I guess it is ok.
Now if you don't mind users with less priv being put directly into enable mode when telnetting then you can leave the command I told you or just put a password for privileged mode.
Regards
12-11-2010 09:50 AM
If the vty lines are configured with privilege level 15 then anyone getting remote access will go directly to privilege mode. If the original poster is happy with that then it works. But I think that is not what he wanted. I believe that if he will configure aaa authorization exec group tacacs+ that it will put only the specified user into privilege mode.
HTH
Rick
12-11-2010 10:43 AM
Hi Richard,
I asked him to do so to test and told him that now all users would get into privilege 15.
But I gave him a link to a thread in this forum in security-aaa where the aaa authorization is talked about and he said it didn't help him.
I tried with a local database and giving a user privilege 15 is enough to let him go into enable mode directly after login.
But on a 1841 I had same problem with local database and i had to put privilege level on line but I had no users with lower privileges then.
Regards.
Alain.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: