Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
1
Replies

TACACs+ commands not dropping me into enable mode

GRANT3779
Spotlight
Spotlight

‎02-25-2014 07:11 AM - edited ‎03-10-2019 09:27 PM

Hi All,

I've just comfigured the following on a router running IOS 15. All my other devices are running the old tacacs commands but thought I'd try the new CLI version.
It works, e.g get prompted for username/password and authenticates against our AD Server (integrated with ACS4.2). I get into the router but into usermode.

My other devices drop me straight into Priv Mode. Only difference is the the new commands v the old commands but I can't see anything that is different in relation to putting me into Priv mode.

Any ideas?

aaa group server tacacs+ ABC_ACS

server name ABC_TAC

tacacs server ABC_TAC

address ipv4 172.27.10.10

key secretkey

aaa authentication login ACS_List group ABC_ACS line

aaa authorization exec ACS_List group ABC_ACS if-authenticated

aaa accounting exec ACS_List start-stop group ABC_ACS

aaa accounting commands 15 ACS_List start-stop group ABC_ACS

!

line vty 0 4

password test

authorization exec ACS_List

accounting commands 15 ACS_List

accounting exec ACS_List

login authentication ACS_List

length 0

transport input ssh

Labels:
0 Helpful
1 Reply 1

Naveen Kumar
Level 4
Level 4

‎03-12-2014 03:59 AM

Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.

If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule

0 Helpful
Customers Also Viewed These Support Documents