cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1082
Views
0
Helpful
4
Replies
Beginner

TACACS+ with cisco 3560 switch configuration question

Hi Forum,

 

Below are my TACACS+ configuration on my cisco 3560 switch and my question is, how can I configure the switch so I would not have to type enable after I put the username and password? with the configs below, users have to type enable every time they log in to the switch in order to get into the user exec mode#. Please let me know if there is anything missing from my configs to help me bypass typing "enable"

 

thanks in advance,

 

 

MacBookAir:~ MacBook$ ssh username@10.10.193.170

Password: 

 

Switch>en

Switch#show run | include aaa

aaa new-model

aaa group server tacacs+ cppm

aaa authentication login default group tacacs+ local

aaa authentication enable default none

aaa authorization exec default group tacacs+ if-authenticated 

aaa authorization commands 1 default group tacacs+ if-authenticated 

aaa authorization commands 15 default group tacacs+ if-authenticated 

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa server radius dynamic-author

aaa session-id common

Switch#

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Engager

Hi,

Hi,

Add the command privilege level 15 in the line VTY configuration.

line vty 0 4
 [..]
 privilege level 15
!

 

Regards

4 REPLIES 4
Engager

Hi,

Hi,

Add the command privilege level 15 in the line VTY configuration.

line vty 0 4
 [..]
 privilege level 15
!

 

Regards

Beginner

Bingo, that did it. Thanks

Bingo, that did it. Thanks Steve.

Rising star

Hardcoding level 15 into line

Hardcoding level 15 into line vty could be a serious security risk. Anyone who logs on via telnet/ssh will have priv 1. You're meant to provide an AAA list would according to the authentication method will authenticate you. The shell level will be supplied as an attribute according to the TACACS or RADIUS server policy.

Take a look at:  http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html

 

Specifically under "Configuring authentication"

Beginner

Put into your configiguration

Put into your configiguration file:

!
!
username XXXX privilege 15 password YYYY
!
!

Since then everyone who logs in with credentials  XXXX and password YYYY will get level 15 prompt.
You do not want everyone who logs in to vty lines to get level 15 straight away, right? :) 

Of course put your real username and password there instead of "XXXX" and "YYYY"

regards


CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards