Switch is not directly goes in global mode

mansi-mhatre · ‎08-25-2025

Hello Team,

I am using ISE as a TACACS server for switches authentication.

When i try to login the switch using ssh with TACACS credentials, i am able to login successfully but after login i want to enter directly in enable mode without entering the >enable command. but with below AAA configuration on switch, i need to type the enable command to enter a enable mode.

Please verify the configuration and suggest.

aaa new-model
!
!
aaa group server tacacs+ ISE
server name ise-1
server name ise-2
!
aaa authentication login VTY group ISE local
aaa authentication enable default group ISE enable
aaa authentication dot1x default group radius

aaa authorization config-commands
aaa authorization exec VTY group ISE local if-authenticated
aaa authorization commands 1 VTY group ISE local if-authenticated
aaa authorization commands 15 VTY group ISE local if-authenticated
aaa authorization network default group radius
aaa authorization auth-proxy default group radius

aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group ISE
aaa accounting commands 1 default start-stop group ISE
aaa accounting commands 15 default start-stop group ISE
aaa accounting connection default start-stop group ISE
aaa accounting system default start-stop group ISE
!

Enes Simnica · ‎08-25-2025

gDay to u @mansi-mhatre and that is a good question. So when u log in via TACACS+, the behavior of dropping directly into privileged EXEC (enable) mode depends on the TACACS authorization settings on ISE, not just the switch configuration. Cause ur switch config looks fine for authentication and command authorization, but right now u’re still prompted to type enable because ISE is not granting you privilege level 15 on login. To achieve what you want (direct login to enable mode), you need to configure the TACACS policy on ISE to return the priv-lvl=15 attribute during authorization.

Thats why my Cisco friend, u need to follow some steps like;;

On ISE, edit the TACACS+ profile assigned to the user or group.
In the authorization attributes, set priv-lvl=15.
Make sure your ISE authorization policy for that user/group references this profile.

and with that in place, when the switch receives the TACACS+ authorization response, it will immediately place the session into enable mode (privileged EXEC) without requiring the extra enable command. Meaning that long story short, ur switch config is fine, the missing piece is in ISE. U must configure the TACACS+ authorization profile in ISE to return privilege 15....

TACACS+ Configuration Guide

hope it helps and PEACE!

-Enes

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

mansi-mhatre · ‎08-25-2025

Hi Enes,

We have done the same AAA configurations on other switch with same TACACS server configuration, But we are not facing the same issue with other switches, with same user.

MHM Cisco World · ‎08-25-2025

Are you sure ypu use exec methods VTY under vty line of this SW ?

Make double check

MHM

mansi-mhatre · ‎08-25-2025

Hi MHM,

Please find the below image for VTY configuration for all switches which we are using TACACS server.

The switch we are facing the issue that is 10.1.120.8.

MHM Cisco World · ‎08-26-2025

Config is identical

Run

Debug tacacs

Debug aaa authc

Debug aaa authz

For one SW work and other not work and share result here

Thanks

MHM

mansi-mhatre · ‎08-26-2025

Hi MHM,

Not understood, can you explain more detailed

MHM Cisco World · ‎08-26-2025

you run same config in multi SW only in .8 the config is not work ?
if above correct run debug in two SW
one work and .8 non work SW
let compare the debug and see in which step the .8 is reject use privilege return from tacacs

MHM

mansi-mhatre · ‎08-26-2025

Hi MHM,

So to check debug logs we need to initiate the authentication by taking access of switch. right?

MHM Cisco World · ‎08-26-2025

Yes friend use same Username and password
MHM

mansi-mhatre · ‎08-28-2025

Hi MHM,

Please find attached log file for working config and non working config :-

MHM Cisco World · ‎08-29-2025

Aug 21 07:30:47.275: %TAC+: no address for get_server
*Aug 21 07:30:47.275: %TAC+: no address for get_server
*Aug 21 07:30:48.145: %TAC+: no address for get_server
*Aug 21 07:30:48.146: %TAC+: no address for get_server
*Aug 21 07:30:52.752: %TAC+: no address for get_server
*Aug 21 07:30:52.752: %TAC+: no address for get_server
*Aug 21 07:30:59.610: %TAC+: no address for get_server
*Aug 21 07:30:59.610: %TAC+: no address for get_server

There is no IP in non-work SW to connect to server this make SW use local and hence it not go directly to level 15

MHM

MHM Cisco World · ‎08-29-2025

Check IP of SW and check routing table.

MHM

mansi-mhatre · ‎08-29-2025

Hi MHM,

Here what is mean by no address in logs, because we have configured Management as well as LAN Ip for switch.

MHM Cisco World · ‎08-29-2025

Check by

Show ip interface breif

Show ip route

Share this from non work SW

MHM