Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2353
Views
0
Helpful
4
Replies

TACACS+ with cisco 3560 switch configuration question

Go to solution
ffadhilpi
Level 1
Level 1

‎07-20-2015 01:02 AM - edited ‎03-08-2019 01:01 AM

Hi Forum,

 

Below are my TACACS+ configuration on my cisco 3560 switch and my question is, how can I configure the switch so I would not have to type enable after I put the username and password? with the configs below, users have to type enable every time they log in to the switch in order to get into the user exec mode#. Please let me know if there is anything missing from my configs to help me bypass typing "enable"

 

thanks in advance,

 

 

MacBookAir:~ MacBook$ ssh username@10.10.193.170

Password: 

 

Switch>en

Switch#show run | include aaa

aaa new-model

aaa group server tacacs+ cppm

aaa authentication login default group tacacs+ local

aaa authentication enable default none

aaa authorization exec default group tacacs+ if-authenticated 

aaa authorization commands 1 default group tacacs+ if-authenticated 

aaa authorization commands 15 default group tacacs+ if-authenticated 

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa server radius dynamic-author

aaa session-id common

Switch#

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Steve Fuller
Level 9
Level 9

‎07-20-2015 01:24 AM

Hi,

Add the command privilege level 15 in the line VTY configuration.

line vty 0 4
 [..]
 privilege level 15
!

 

Regards

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Steve Fuller
Level 9
Level 9

‎07-20-2015 01:24 AM

Hi,

Add the command privilege level 15 in the line VTY configuration.

line vty 0 4
 [..]
 privilege level 15
!

 

Regards

0 Helpful

Go to solution
ffadhilpi
Level 1
Level 1
In response to Steve Fuller

‎07-20-2015 01:41 AM

Bingo, that did it. Thanks Steve.

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to ffadhilpi

‎07-27-2015 11:17 AM

Hardcoding level 15 into line vty could be a serious security risk. Anyone who logs on via telnet/ssh will have priv 1. You're meant to provide an AAA list would according to the authentication method will authenticate you. The shell level will be supplied as an attribute according to the TACACS or RADIUS server policy.

Take a look at:  http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html

 

Specifically under "Configuring authentication"

0 Helpful

Go to solution
krishh1961
Level 1
Level 1
In response to Nadav

‎04-29-2017 02:22 PM

Put into your configiguration file:

!
!
username XXXX privilege 15 password YYYY
!
!

Since then everyone who logs in with credentials  XXXX and password YYYY will get level 15 prompt.
You do not want everyone who logs in to vty lines to get level 15 straight away, right? :) 

Of course put your real username and password there instead of "XXXX" and "YYYY"

regards


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card