cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3146
Views
0
Helpful
14
Replies

Username Password

thomasandy32
Level 1
Level 1

Hi,

I have created a username and password with command username cisco privi 15 pass cisco. when i telnet to switch it ask me for enable secret password??????  though  i have specified a privi level 15 to a user.Switch is authenticating with ACS and i have specified a privi 15 to a specific user on ACS.

The IOS is  c2960-lanbasek9-mz.122-55.SE.

Thanks

14 Replies 14

Anton Noskov
Level 1
Level 1

Hi, i think you must  issue this command

line vty 0 4

login local

Device will take local  databace for authentication

Hello,

User are authenticating through aaa they are no authenticating through local database,

Thanks

aaa authentication login default local

Hi,

show us your aaa config:  sh run | i aaa and sh run | i user as well as sh run | be line

Regards.

Don't forget to rate helpful posts.

Hello,

The above command will use local database for authentication  but i want to authenticate through ACS,

Thanks

aaa authentication login default group tacacs+ line enable

tacacs-server host key
tacacs-server directed-request

Hello

SW1#sh run | i user

username cisco privilege 15 password 7 0526292704

aaa new-model
aaa authentication login rus group tacacs+ local
aaa authentication login console none
aaa session-id common

SW1#sh run | b line
line con 0
login authentication console
line vty 0 4
exec-timeout 30 0
password 7 04581E51577741
login authentication rus
line vty 5 15
exec-timeout 30 0
password 7 04581E51577741
login authentication rus

Thanks

Hi,

Can you add on vty line privilege level 15 command and then telnet again with debug aaa authentication .

Just to be sure it gets to tacacs+ and never hit local so the problem then lies on ACS.

Regards.

Don't forget to rate helpful posts.

Hello,

I have applied the command and it is going directly to privilege mode, The telnet request is hitting to ACS.

But i did'nt understood, ur below words,

Just to be sure it gets to tacacs+ and never hit local so the problem then lies on ACS ??????

Can u explain me what was the problem?????

Hi,

Can you now confirm the user in ACS is privilege 15?

The command privilege level 15 on line vty normally will let any user telnetting whichever his privilege is directly in privileged mode without

having to configure an enable password.

But I've had the same problem once on a 1841 router where without putting this command it wouldn't work even with a local privilege 15 user.

Regards.

Alain

Don't forget to rate helpful posts.

Hello,

Attached is the Privilege 15 Access on ACS 5.0,

Hi,

Seems like you are using ACS appliance, I only used windows server ACS but I guess it is ok.

Now if you don't mind users with less priv being put directly into enable mode when telnetting then you can leave the command I told you  or just put a password for privileged mode.

Regards

Don't forget to rate helpful posts.

If the vty lines are configured with privilege level 15 then anyone getting remote access will go directly to privilege mode. If the original poster is happy with that then it works. But I think that is not what he wanted. I believe that if he will configure aaa authorization exec group tacacs+ that it will put only the specified user into privilege mode.

HTH

Rick

HTH

Rick

Hi Richard,

I asked him to do so to test and told him that now all users would get into privilege 15.

But I gave him a link to a thread in this forum in security-aaa where the aaa authorization is talked about and he said it didn't help him.

I tried with a local database and giving a user privilege 15 is enough to let him go into enable mode directly after login.

But on a 1841 I had same problem with local database and i had to put privilege level on line but I had no users with lower privileges then.

Regards.

Alain.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: