Switch is not directly goes in global mode - Page 2

mansi-mhatre · ‎08-25-2025

Hello Team,

I am using ISE as a TACACS server for switches authentication.

When i try to login the switch using ssh with TACACS credentials, i am able to login successfully but after login i want to enter directly in enable mode without entering the >enable command. but with below AAA configuration on switch, i need to type the enable command to enter a enable mode.

Please verify the configuration and suggest.

aaa new-model
!
!
aaa group server tacacs+ ISE
server name ise-1
server name ise-2
!
aaa authentication login VTY group ISE local
aaa authentication enable default group ISE enable
aaa authentication dot1x default group radius

aaa authorization config-commands
aaa authorization exec VTY group ISE local if-authenticated
aaa authorization commands 1 VTY group ISE local if-authenticated
aaa authorization commands 15 VTY group ISE local if-authenticated
aaa authorization network default group radius
aaa authorization auth-proxy default group radius

aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group ISE
aaa accounting commands 1 default start-stop group ISE
aaa accounting commands 15 default start-stop group ISE
aaa accounting connection default start-stop group ISE
aaa accounting system default start-stop group ISE
!

MHM Cisco World · ‎08-29-2025

Also check tacacs server IP or hostname

Note:-if you use hostname double check if SW can resolve IP

MHM

mansi-mhatre · ‎08-29-2025

Hi MHM,

Kindly check logs of date 26 august only, because TACACS configured on 26 august.

mansi-mhatre · ‎08-27-2025

Hi MHM,

Please find below logs for working and non working.

Non Working :

*Aug 26 10:13:18.082: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.250.5.174 (tty = 0) using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Aug 26 10:13:25.393: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: kiran.purkar] [Source: 10.250.5.174] [localport: 22] at 10:13:25 UTC Tue Aug 26 2025
*Aug 26 10:13:25.393: %SSH-5-SSH2_USERAUTH: User 'kiran.purkar' authentication for SSH2 Session from 10.250.5.174 (tty = 0) using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Aug 26 10:14:20.432: TPLUS: Queuing AAA Accounting request 128 for processing
*Aug 26 10:14:20.432: TPLUS: processing accounting request id 128
*Aug 26 10:14:20.432: TPLUS: Sending AV task_id=4145
*Aug 26 10:14:20.432: TPLUS: Sending AV timezone=UTC
*Aug 26 10:14:20.432: TPLUS: Sending AV service=shell
*Aug 26 10:14:20.432: TPLUS: Sending AV priv-lvl=15
*Aug 26 10:14:20.432: TPLUS: Sending AV cmd=debug tacacs <cr>
*Aug 26 10:14:20.432: TPLUS: Accounting request created for 128(kiran.purkar)
*Aug 26 10:14:20.432: TPLUS: using previously set server 10.200.4.47 from group ISE
*Aug 26 10:14:20.432: TPLUS: Source IP selected is: 10.1.122.3
*Aug 26 10:14:20.433: TPLUS(00000080)/0/NB_WAIT/7E36CB1E7358: Started 5 sec timeout
*Aug 26 10:14:20.435: TPLUS(00000080)/0/NB_WAIT: socket event 2
*Aug 26 10:14:20.435: %TAC+: Shared secret is radius@123
*Aug 26 10:14:20.435: TPLUS(00000080)/0/NB_WAIT: wrote entire 123 bytes request
*Aug 26 10:14:20.435: TPLUS(00000080)/0/READ: socket event 1
*Aug 26 10:14:20.435: TPLUS(00000080)/0/READ: Would block while reading
*Aug 26 10:14:20.438: TPLUS(00000080)/0/READ: socket event 1
*Aug 26 10:14:20.438: TPLUS(00000080)/0/READ: read entire 12 header bytes (expect 5 bytes data)
*Aug 26 10:14:20.438: TPLUS(00000080)/0/READ: socket event 1
*Aug 26 10:14:20.438: TPLUS(00000080)/0/READ: read entire 17 bytes response
*Aug 26 10:14:20.438: %TAC+: Shared secret is radius@123
*Aug 26 10:14:20.438: TPLUS(00000080)/0/7E36CB1E7358: Processing the reply packet
*Aug 26 10:14:20.438: TPLUS: Received accounting response with status PASS
*Aug 26 10:15:05.377: TAC+: using previously set server 10.200.4.47 from group ISE
*Aug 26 10:15:05.377: TAC+: Opening TCP/IP to 10.200.4.47/49 timeout=5
*Aug 26 10:15:05.379: TAC+: Opened TCP/IP handle 0x7E36CF1B0928 to 10.200.4.47/49 using source 10.1.122.3
*Aug 26 10:15:05.379: TAC+: Opened 10.200.4.47 index=1
*Aug 26 10:15:05.380: TAC+: 10.200.4.47 (1243678131) AUTHOR/START queued
*Aug 26 10:15:05.579: TAC+: (1243678131) AUTHOR/START processed
*Aug 26 10:15:05.580: TAC+: (1243678131): received author response status = PASS_ADD
*Aug 26 10:15:05.580: TAC+: Closing TCP/IP 0x7E36CF1B0928 connection to 10.200.4.47/49
*Aug 26 10:15:05.581: TPLUS: Queuing AAA Accounting request 128 for processing
*Aug 26 10:15:05.581: TPLUS: processing accounting request id 128
*Aug 26 10:15:05.581: TPLUS: Sending AV task_id=4146
*Aug 26 10:15:05.581: TPLUS: Sending AV timezone=UTC
*Aug 26 10:15:05.581: TPLUS: Sending AV service=shell
*Aug 26 10:15:05.581: TPLUS: Sending AV priv-lvl=15
*Aug 26 10:15:05.581: TPLUS: Sending AV cmd=debug aaa authentication <cr>
*Aug 26 10:15:05.581: TPLUS: Accounting request created for 128(kiran.purkar)
*Aug 26 10:15:05.581: TPLUS: using previously set server 10.200.4.47 from group ISE
*Aug 26 10:15:05.582: TPLUS: Source IP selected is: 10.1.122.3
*Aug 26 10:15:05.582: TPLUS(00000080)/0/NB_WAIT/7E36CB1E7358: Started 5 sec timeout
*Aug 26 10:15:05.597: TPLUS: Queuing AAA Accounting request 128 for processing
*Aug 26 10:15:05.598: TPLUS(00000080)/0/NB_WAIT: socket event 2
*Aug 26 10:15:05.598: %TAC+: Shared secret is radius@123
*Aug 26 10:15:05.598: TPLUS(00000080)/0/NB_WAIT: wrote entire 135 bytes request
*Aug 26 10:15:05.598: TPLUS(00000080)/0/READ: socket event 1

Working :

*Aug 26 10:13:51.317: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.250.5.174 (tty = 0) using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Aug 26 10:13:58.701: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: kiran.purkar] [Source: 10.250.5.174] [localport: 22] at 10:13:58 UTC Tue Aug 26 2025
*Aug 26 10:13:58.701: %SSH-5-SSH2_USERAUTH: User 'kiran.purkar' authentication for SSH2 Session from 10.250.5.174 (tty = 0) using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
*Aug 26 10:15:03.651: TPLUS: Queuing AAA Accounting request 204 for processing
*Aug 26 10:15:03.652: TPLUS: processing accounting request id 204
*Aug 26 10:15:03.652: TPLUS: Sending AV task_id=4198
*Aug 26 10:15:03.652: TPLUS: Sending AV timezone=UTC
*Aug 26 10:15:03.652: TPLUS: Sending AV service=shell
*Aug 26 10:15:03.652: TPLUS: Sending AV priv-lvl=15
*Aug 26 10:15:03.652: TPLUS: Sending AV cmd=debug tacacs <cr>
*Aug 26 10:15:03.652: TPLUS: Accounting request created for 204(kiran.purkar)
*Aug 26 10:15:03.652: TPLUS: using previously set server 10.200.4.47 from group ISE
*Aug 26 10:15:03.652: TPLUS: Source IP selected is: 10.1.122.2
*Aug 26 10:15:03.652: TPLUS(000000CC)/0/NB_WAIT/714BB4A4A338: Started 5 sec timeout
*Aug 26 10:15:03.654: TPLUS(000000CC)/0/NB_WAIT: socket event 2
*Aug 26 10:15:03.654: %TAC+: Shared secret is radius@123
*Aug 26 10:15:03.654: TPLUS(000000CC)/0/NB_WAIT: wrote entire 123 bytes request
*Aug 26 10:15:03.654: TPLUS(000000CC)/0/READ: socket event 1
*Aug 26 10:15:03.654: TPLUS(000000CC)/0/READ: Would block while reading
*Aug 26 10:15:03.657: TPLUS(000000CC)/0/READ: socket event 1
*Aug 26 10:15:03.657: TPLUS(000000CC)/0/READ: read entire 12 header bytes (expect 5 bytes data)
*Aug 26 10:15:03.658: TPLUS(000000CC)/0/READ: socket event 1
*Aug 26 10:15:03.658: TPLUS(000000CC)/0/READ: read entire 17 bytes response
*Aug 26 10:15:03.658: %TAC+: Shared secret is radius@123
*Aug 26 10:15:03.658: TPLUS(000000CC)/0/714BB4A4A338: Processing the reply packet
*Aug 26 10:15:03.658: TPLUS: Received accounting response with status PASS
*Aug 26 10:15:19.898: TAC+: using previously set server 10.200.4.47 from group ISE
*Aug 26 10:15:19.898: TAC+: Opening TCP/IP to 10.200.4.47/49 timeout=5
*Aug 26 10:15:19.900: TAC+: Opened TCP/IP handle 0x714BB4A5BD40 to 10.200.4.47/49 using source 10.1.122.2
*Aug 26 10:15:19.900: TAC+: Opened 10.200.4.47 index=1
*Aug 26 10:15:19.901: TAC+: 10.200.4.47 (324962257) AUTHOR/START queued
*Aug 26 10:15:20.100: TAC+: (324962257) AUTHOR/START processed
*Aug 26 10:15:20.100: TAC+: (324962257): received author response status = PASS_ADD
*Aug 26 10:15:20.100: TAC+: Closing TCP/IP 0x714BB4A5BD40 connection to 10.200.4.47/49
*Aug 26 10:15:20.103: TPLUS: Queuing AAA Accounting request 204 for processing
*Aug 26 10:15:20.103: TPLUS: processing accounting request id 204
*Aug 26 10:15:20.103: TPLUS: Sending AV task_id=4199
*Aug 26 10:15:20.103: TPLUS: Sending AV timezone=UTC
*Aug 26 10:15:20.103: TPLUS: Sending AV service=shell
*Aug 26 10:15:20.103: TPLUS: Sending AV priv-lvl=15
*Aug 26 10:15:20.103: TPLUS: Sending AV cmd=debug aaa authentication <cr>
*Aug 26 10:15:20.103: TPLUS: Accounting request created for 204(kiran.purkar)
*Aug 26 10:15:20.103: TPLUS: using previously set server 10.200.4.47 from group ISE
*Aug 26 10:15:20.104: TPLUS: Source IP selected is: 10.1.122.2
*Aug 26 10:15:20.104: TPLUS(000000CC)/0/NB_WAIT/714BB4A4A338: Started 5 sec timeout
*Aug 26 10:15:20.106: TPLUS: Queuing AAA Accounting request 204 for processing
*Aug 26 10:15:20.106: TPLUS(000000CC)/0/NB_WAIT: socket event 2
*Aug 26 10:15:20.106: %TAC+: Shared secret is radius@123
*Aug 26 10:15:20.107: TPLUS(000000CC)/0/NB_WAIT: wrote entire 135 bytes request
*Aug 26 10:15:20.107: TPLUS(000000CC)/0/READ: socket event 1
*Aug 26 10:15:20.107: TPLUS(000000CC)/0/READ: Would block while reading
*Aug 26 10:15:20.107: TPLUS: processing accounting request id 204
*Aug 26 10:15:20.107: TPLUS: Sending AV task_id=4200
*Aug 26 10:15:20.107: TPLUS: Sending AV timezone=UTC
*Aug 26 10:15:20.107: TPLUS: Sending AV service=shell
*Aug 26 10:15:20.107: TPLUS: Sending AV priv-lvl=15
*Aug 26 10:15:20.107: TPLUS: Sending AV cmd=set platform software trace smd switch 1 R0 aaa-authen debug <cr>
*Aug 26 10:15:20.107: TPLUS: Accounting request created for 204(kiran.purkar)
*Aug 26 10:15:20.107: TPLUS: using previously set server 10.200.4.47 from group ISE
*Aug 26 10:15:20.107: TPLUS: Source IP selected is: 10.1.122.2
*Aug 26 10:15:20.107: TPLUS(000000CC)/1/NB_WAIT/714BB4763490: Started 5 sec timeout
*Aug 26 10:15:20.109: TPLUS(000000CC)/1/NB_WAIT: socket event 2

MHM Cisco World · ‎08-25-2025

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

Check this guide

MHM

Jens Albrecht · ‎08-26-2025

Hello @mansi-mhatre,

as mentioned by @MHM Cisco World you need to enable AAA debugging and check the output to confirm that the switch receives the correct attributes to assign the privilege level.

The output will look similar to this:

! Enable these debugs:
Rtr01#debug aaa authentication 
Rtr01#debug aaa authorization 
Rtr01#
! First you will see the list that is picked for authentication:
*Aug 26 10:23:52.964: AAA/BIND(00000014): Bind i/f  
*Aug 26 10:23:52.964: AAA/AUTHEN/LOGIN (00000014): Pick method list 'default' 
Rtr01#
! Then you will see the list that is picked for authorization and the attributes sent by Tacacs:
*Aug 26 10:24:01.375: AAA/AUTHOR (0x14): Pick method list 'default'
*Aug 26 10:24:01.388: AAA/AUTHOR/EXEC(00000014): processing AV cmd=
*Aug 26 10:24:01.388: AAA/AUTHOR/EXEC(00000014): processing AV priv-lvl=15
*Aug 26 10:24:01.388: AAA/AUTHOR/EXEC(00000014): Authorization successful
Rtr01#

This was taken from a successful login with privilege level 15. I used the 'default' list so your output will display the names of your lists.

This will show whether the switch receives the attributes from Tacacs and correctly applies them.

HTH!

paul driver · ‎08-26-2025

Hello

@mansi-mhatre wrote:

We have done the same AAA configurations on other switch with same TACACS server configuration, But we are not facing the same issue with other switches, with same user.

Is this a local database user , if so.

username xxx privilege-level 15

or

line vty x
privilege level 15

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Janne K. · ‎08-27-2025

Do you have all of the switches in your ISE as network device?

Try looking in the ISE tacacs live logs ans see wich authentication and authorization profile you are hitting.