Below are my TACACS+ configuration on my cisco 3560 switch and my question is, how can I configure the switch so I would not have to type enable after I put the username and password? with the configs below, users have to type enable every time they log in to the switch in order to get into the user exec mode#. Please let me know if there is anything missing from my configs to help me bypass typing "enable"
thanks in advance,
MacBookAir:~ MacBook$ ssh email@example.com
Switch#show run | include aaa
aaa group server tacacs+ cppm
aaa authentication login default group tacacs+ local
aaa authentication enable default none
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa server radius dynamic-author
aaa session-id common
Solved! Go to Solution.
Hardcoding level 15 into line vty could be a serious security risk. Anyone who logs on via telnet/ssh will have priv 1. You're meant to provide an AAA list would according to the authentication method will authenticate you. The shell level will be supplied as an attribute according to the TACACS or RADIUS server policy.
Take a look at: http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html
Specifically under "Configuring authentication"
Put into your configiguration file:
username XXXX privilege 15 password YYYY
Since then everyone who logs in with credentials XXXX and password YYYY will get level 15 prompt.
You do not want everyone who logs in to vty lines to get level 15 straight away, right? :)
Of course put your real username and password there instead of "XXXX" and "YYYY"