cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1625
Views
0
Helpful
8
Replies

router/switch seeking re-entery of username/pwd for enable mode

saurabh_knl
Level 1
Level 1

Hi,

As per normal conditions, to go in enable mode we type >enable command, and router/switch asks for password. However, what are the possibilites for a router/switch to ask both username and password on enable mode as well.

The aaa commands on router/switch as below:

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

A bit more facts observed are, to log in the router/switch I use my username/pwd (TACACS credentials). However, when I hit >enable command, then either mine or anybody else's (having the appropriate rights) username/pwd credentials works for enable login.

Is it something to be done on TACACS / ACS or the router/switch itself?

Thanks.

cheers,

Saurabh

8 Replies 8

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi Sourabh,

As per the aaa configuration posted by you

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable

User will be authenticated via TACAS server and if user try to login into enable mode in switch/router.

Few configuration need to be done in TACAS server you need to select an option for using same  PAP password for enble promt under TACACS+ Enable Password table.

Hope this will solve your problem !!

Regards

Ganesh.H

Hi Ganesh,

Thanks for the response.

Could you please clarify more on "in TACAS server you need to select an option for using same  PAP password for enble promt under TACACS+ Enable Password table". Please excuse my ignorance in regards to TACACS server configuration / settings.

cheers,

Saurabh

If you are using Cisco ACS go under user setup tab you will see a tab called TACACS+ Enable Password from there you can select to use same as PAP password.

Regards

Ganesh.H

Hi Ganesh,

Thanks for the response.

I honestly do not have access/control to ACS system. I am looking at this solution from a more understanding perspective.

When you say "under user setup tab you will see a tab called TACACS+ Enable Password from there you can select to use same as PAP password". This is a bit confusing, because my only requirement is when i hit >enable it should only prompt me for password, and not for both "username/pwd".

I am not sure if what you've already said is the same what I just asked above. Just looking to clarify my doubt.

cheers,

Saurabh

I think i have taken in wrong direction if in enable prompt it is asking for username and password then check the configuration under line vty 0 4 for login authentication .

Regards

Ganesh.H

Hi,

Below are the configs:-

line vty 0 4
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxx

transport input telnet ssh
line vty 5 15
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxxx
transport input lat pad mop udptn telnet rlogin ssh nasi acercon

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

cheers,

Saurabh

Hi Sourabh,

Check out the following link it will solve your problem and query realted to aaa configration:-

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfathen.html#wp1001032

Regards

Ganesh.H

vvasisth
Level 1
Level 1

check the failed logs in tacacs for enable authentication

make sure this user has pri lvl 15 in tacacs

for testing do "no aaa new-model" This will tell wether its an issue with switch or tacacs

regards,
Varun