cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1931
Views
0
Helpful
18
Replies

Can't go PRIV on Console w TACACS active

Newport_s
Level 1
Level 1

We can get to EXEC mode on our console ports when TACACS is running, but can't go to PRIV mode. Disconnecting TACACS permits full access through the console. I know we're missing something simple, but can't find it. Please help.

18 Replies 18

"When entering the enable command when TACACS is working you would normally enter the users TACACS password again to get into privilege mode."

Exactly, but it's not working. There must be something in TACACS disabling privilege mode from the console even though you've entered the correct TACACS UserID password.

Samih

You suggest that there must be something in TACACS disabling privilege mode from the console. I am not sure that there is a way to configure TACACS that way. I believe that it is more likely something in the configuration of the user ID in TACACS. Can you verify that the username that you are using (whatever it is) is configured in TACACS to have level 15 access for this device or device group?

HTH

Rick

HTH

Rick

I do have level 15 access becuase I'm at the PRIV prompt when logging in using vty. The TACAS admin indicated that my 15 is set due to the domain used for authentication. Other users get the USER EXEC prompt and aren't permitted PRIV mode. This function works well.

He's upgrading to a newer version soon so I'm hoping that resolves the problem. I'll keep y'all posted.

Samih

Perhaps it will turn out to be a version issue and the upgrade will fix it. But I am not optimistic about that. I still believe that it is most likely an issue with the configuration of the user ID. It occurs to me that there may be an experiment that will perhaps tell us something useful. I suggest that you make another attempt to login via the console, attempt to go to privilege mode by using the enable command, enter your correct password. It will refuse you. Then look (or ask the ACS administrator to look) in the ACS Failed Attempts report and see what reason the TACACS gives for the failure. I suspect that the failure will be something like: Tacacs+ enable privilege too low.

Please give this a try and let us know the results.

HTH

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card