Aaa authentication enable command

Hi,
If I configure following command, how can I enter enable user name and password to get into enable prompt? Can someone explain to me how to enable tacacs autherntication for enable access?
"aaa authentication enable default group tacacs+ enable",
TIA
krishna

Assuming that your IOS device is otherwise correctly configured for TACACS (has the proper TACACS server address, proper TACACS key) and that the TACACS server is configured to recognize and process this machine as a client for authentication, then using this command:
aaa authentication enable default group tacacs+ enable
will cause the IOS device to send an authentication request to the TACACS server when someone attempts to access privilege mode. If the TACACS server does not respond the IOS device will use the local enable secret (or password) to authenticate enable mode. This is the only thing that you must do on the IOS device. On the TACACS server you must be sure that the user ID is correctly configured for access to this device and the user is checked for level 15 access.
HTH
Rick

Similar Messages

Why do we need aaa authentication enable

Hi all
Why do we need the " aaa authentication enable default group tacacs+ enable" . Is " aaa authentication login default group tacacs+ enable"
is not enough ?
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
Thanks

Hi jatin ,
Just for clariffication , if i add " aaa authentication enable default group tacacs+ enable" , once authenticated device will go directly to enable mode .
As you said
aaa authentication login default group tacacs+ local
in case tacacs failed user has to enter local username and password . once it is authenticated
" aaa authentication enable default group tacacs+ enable " will be executed and the user have to enter the enable (local db ) secret .
Please correct me if iam wrong
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+

Aaa authentication enable console (server_name) password issue

Here is the problem I am experiencing and I hope someone out there is able to help;
I have a ASA5510 (running software Version 8.0(3)). I have enabled remote authentication to our company's TACAC server (which is running TACAC open source supplied by Cisco).
The problem is as follows;
I can telnet to the appliance remote and using my username and password (configured on the TACAC server) I am authenticated. But after entering enable - I am prompted with the password prompt. But I can not get pass this prompt. I have tried the same password as I previous enter at the telnet prompt and failed, the local enable password fails as well. Any suggestion.
aaa-server (server_name) protocol tacacs+
aaa-server (server_name) (interlinkport) host (Address)
key (password)
aaa authentication enable console (server_name) LOCAL
aaa authentication enable console (server_name) LOCAL
aaa authentication http console (server_name) LOCAL
aaa authentication serial console (server_name) LOCAL
aaa authentication ssh console (server_name) LOCAL
aaa authentication telnet console (server_name) LOCAL
aaa accounting command privilege 15 (server_name)
aaa authorization exec authentication-server

I think I can help you here since I've been using Cisco
Freeware TACACS+ for almost 7 years now. I am not
an expert, just enough to be dangerous.
Since the code is open-source, each company uses
differently; however, there is one thing that will
always true. That would be the the enable.c file,
which is a C program. You would need to modify
this file so that EVERYONE can have his/her own
enable password, just like Cisco ACS running on
Windows platforms.
the configuration file would look something like this:
accounting file = /var/log/tac_plus.log
key = zFgGkIooIsZ.Q
user = cciesec {
member = admin
name = "ccie security"
login = cleartext "cciesec"
user = $cciesec$ {
member = admin
name = "ccie security"
login = cleartext "cciesec1"
group = admin {
default service = permit
On the Pix:
aaa-server NEO protocol tacacs+
aaa-server NEO (outside) host 192.168.15.10
timeout 5
key cciesec
aaa authentication ssh console NEO LOCAL
aaa authentication enable console NEO LOCAL
Here is the login sequence:
[root@dca2-LinuxES root]# ssh -l cciesec 192.168.0.25
The authenticity of host '192.168.0.25 (192.168.0.25)' can't be established.
RSA key fingerprint is c2:48:15:85:92:7f:56:15:a8:0f:80:d9:88:50:fd:1c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.25' (RSA) to the list of known hosts.
[email protected]'s password:
Type help or '?' for a list of available commands.
CiscoPix> en
Password: ********
CiscoPix#
In other words, my initial password is "cciesec" and my enable password
is "cciesec1". Another user "tom" will have his own login and enable
password.
Simple enough?

Aaa authentication enable console issue

I have an ASA5505 running 8.2(5). It is configured with
aaa authentication telnet console xxxxxx LOCAL
and I am able to use my username and password to telnet in, but I then have to use the local enable password to get to privilege exec mode.
I tried configuring aaa authentication enable console xxxxxx LOCAL so that when I try to access privilege exec mode,I would be prompted for my password instead of the enable password, but it doesn't work.
I also tried removing the aaa authentication telnet console xxxxxx LOCAL and telenetted in with the local passwd.
I was prompted for a username and password when trying to get to priv exec mode, but again, the credentials did not work.
Could there be something that needs to be changed on the ACS server to make this work?
Thanks.

Using TACACS+
No command authorization rules are being used
When I add the aaa authentication enable console xxxxxxxx LOCAL command,
and use login instead of enable, I get Login failed if I try to use my credentials.
However, if I use login with the locally configured username and password, it lets me in.
Here is the config (without the aaa authentication enable console command):
User Access Verification
Username: xxx/xxxxxxxxxx
Password: ************
Type help or '?' for a list of available commands.
FW> en
Password: ********
FW# sh ru
: Saved
ASA Version 8.2(5)
terminal width 511
hostname xxxxxxxx
enable password *********** encrypted
passwd *********** encrypted
names
interface Ethernet0/0
switchport access vlan xxx
interface Ethernet0/1
switchport access vlan xxx
shutdown
interface Ethernet0/2
switchport access vlan xxx
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlanxxx
nameif inside
security-level 100
ip address x.x.x.x x.x.x.x
interface Vlanxxx
nameif OUtside
security-level 0
ip address x.x.x.x x.x.x.x
ftp mode passive
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
group-object TCPUDP
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
group-object TCPUDP
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object udp
protocol-object tcp
access-list Outside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a
ny any inactive
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a
ny any
access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_1
any any inactive
access-list OUtside_access_in extended permit icmp any any
access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_3
any any
pager lines 24
logging enable
logging asdm informational
logging host inside x.x.x.x
mtu inside 1500
mtu OUtside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside
access-group OUtside_access_in in interface OUtside
route inside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server xxxxxxxxx protocol tacacs+
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa authentication http console ******* LOCAL
aaa authentication ssh console ******* LOCAL
aaa authentication telnet console ******* LOCAL
aaa local authentication attempts max-fail 5
http server enable
http x.x.x.x x.x.x.x inside
http x.x.x.x x.x.x.x inside
snmp-server host inside x.x.x.x community ***** version 2c
snmp-server host OUtside x.x.x.x community ***** version 2c
snmp-server host inside x.x.x.x community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet x.x.x.x x.x.x.x inside
telnet x.x.x.x x.x.x.x inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config OUtside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ******* password ************** encrypted privilege 15
username ******* password ************** encrypted privilege 15
username ******* password ************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end
FW#
Thanks.

Aaa authentication enable default group tacacs+ enable

I am implementing CSACS 4.0. First on the client, I will apply aaa authenticatio/ authorization under vty. The issure if I use the followin command
aaa authentication enable default group tacacs+ enable
what will happen if I login via console? Will I be required to enter any username/password?
Below is my configuration
aaa new-model
aaa authentication login authvty group TACACS + local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 authvty TACACS+ local
TACACS-server host IP
Tacacs-server key key
Ip tacacs source-interface VLAN 3
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting exec authvty start-stop group tacacs+
aaa accounting commands 15 authvty start-stop group tacacs+
aaa accounting connection authvty start-stop group tacacs+
line vty 0 15
login authentication authvty
authorization commands 15 authvty
accounting connection authvty
accounting commands 15 authvty
accunting exec authvty
Any suggestion will be appreciated!

It should work because this is a message.banner prompt everytime you try to login (console/vty). I have it configured on my router.
If you have banner motd, it will be displayed as well (see below). So I ahve to remove it to get only the aaa banner & prompt being displayed:
*** Username: cisco, Password: cisco (priv 15f - local) ****
Unauthorized use is prohibited.
Enter your name here: user1
Enter your password now:
Router#
The config more or less looks like:
aaa new-model
aaa authentication banner ^CUnauthorized use is prohibited.^C
aaa authentication password-prompt "Enter your password now:"
aaa authentication username-prompt "Enter your name here:"
aaa authentication login default group radius
aaa authentication login CONSOLE local
HTH
AK

Command execution get very slow when AAA Authorization enable on ASR 1006

Without Authorization , I am able work smoothly with just click on ASR ...., But Once I enable Authorization it takes many secs to move to other command exampe ( If i hit config t or int gi1/0/1 , it take time to move to next command level) ...
These Authorization issue I am facing only on ASR and for Other Cisco Switches and Router its working fine wiith just a click.
Did any one face such issue , and how it is fix ...
See the Show version for ASR
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 24-Mar-11 23:32 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
NOITDCRTRCORP01 uptime is 10 weeks, 6 days, 1 hour, 16 minutes
Uptime for this control processor is 10 weeks, 6 days, 1 hour, 19 minutes
System returned to ROM by reload
System restarted at 17:47:32 IST Thu Oct 4 2012
System image file is "bootflash:/asr1000rp1-advipservicesk9.03.03.00.S.151-2.S.bin"
Last reload reason: EHSA standby down
AAA Commands on ASR 1006
aaa new-model
aaa group server tacacs+ tacgroup
server 10.48.128.10
server 10.72.160.10
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
aaa authentication login default group tacgroup local
aaa authentication enable default group tacgroup enable
aaa accounting exec default start-stop group tacgroup
aaa accounting commands 1 default start-stop group tacgroup
aaa accounting commands 15 default start-stop group tacgroup
aaa accounting connection default start-stop group tacgroup
aaa accounting system default start-stop group tacgroup
aaa authorization commands 0 default group tacgroup none
aaa authorization commands 1 default group tacgroup none
aaa authorization commands 15 default group tacgroup none
aaa session-id common
tacacs-server host 10.48.128.10 key 7 13351601181B0B382F04796166
tacacs-server key 7 053B071C325B411B1D25464058

I think your issue maybe related to your tacacs server. If you re-order the two servers (typically a 5 second timer before failover occurs) and see if that improves your performance:
You can try to debug the issue by referring to the command reference guide....i.e. debug tacacs...you can also try to telnet to both ip address to port 49 to see if the connection opens, in order to rule out issues where a firewall or routing to one of the tacacs servers is failing. I also noticed you have the shared secret and tacacs server defined for one of the servers, is the sam present for the other server that is in the server group?
server 10.48.128.10
server 10.72.160.10
to
server 10.72.160.10
server 10.48.128.10
Thanks,
Tarik Admani
*Please rate helpful posts*

AAA authentication / Radius-Servers

Hello cisco folks,
Have a technical question I would like to ask. I'm able to setup my 3750e switch to login through a radius server with my company user id and password but would like to be able to set it up that when I log in it drops me on the enable prompt. Right now I have to type >en.
Then the enable password. Thanks in advance.
Paul

Hi Bro
Yes, this can be achieved in Cisco IOS devices but not in Cisco ASA. In Cisco ASA, you still have to type the "enable" command.
Just ensure you've the configuration shown below, and all should be good;
enable password cisco
aaa new-model
aaa authentication login VTY group radius local
aaa authentication login CONSOLE local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec VTY group radius local
username ram privilege 15 password 0 cisco
username cisco privilege 7 password 0 cisco
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip radius source-interface FastEthernet0/0
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco
privilege interface level 7 shutdown
privilege interface level 7 ip address
privilege interface level 7 ip
privilege interface level 7 no shutdown
privilege interface level 7 no ip address
privilege interface level 7 no ip
privilege interface level 7 no
privilege configure level 7 interface
privilege configure level 7 shutdown
privilege configure level 7 ip
privilege configure level 7 no interface
privilege configure level 7 no shutdown
privilege configure level 7 no ip
privilege configure level 0 no
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 undebug ip rip
privilege exec level 7 undebug ip
privilege exec level 7 undebug all
privilege exec level 7 undebug
privilege exec level 7 debug ip rip
privilege exec level 7 debug ip
privilege exec level 7 debug all
privilege exec level 7 debug
line con 0
authorization exec VTY
login authentication VTY
line aux 0
line vty 0 4
authorization exec VTY
login authentication VTY
end
Note: Ensure your user ID in your Radius server has the correct av-pair parameters shell:priv-lvl=15
P/S: if you think this comment is helpful, please do rate it nicely :-)

AAA authentication when logging into the router via the web browser

Hi group,
I am trying to get access the a cisco 2621 via http and authentication
via AAA but there is something I am not quite understand.
I am using the freeware TACACS+ server running on RedHat Linux
Enterprise Server 3.0. I setup the TACACS+ account for myself with
enable privilege on the TACACS+ box. This account, let call it,
ddt123, can telnet/ssh into the IOS router and the enable secret
is associated with this account as setup in TACACS+.
Here is my configuration looks like on the TACACS+ file:
[root@dca2-LinuxES tacacs]# more tac_plus.cfg
accounting file = /var/log/tac_plus.log
key = zFgGkIooIsZ.Q
user = ddt123 {
member = admin
name = "ddt 123"
login = cleartext "exec123"
user = $ddt123$ {
member = admin
name = "ddt 123"
login = cleartext "privi123"
group = admin {
default service = permit
[root@dca2-LinuxES tacacs]#
Here is my configuration on the IOS device:
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication login web local enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
tacacs-server host 192.168.15.10 key ***
ip http server
ip http authentication aaa login-authentication VTY
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
The question I have is that when I open the browser and enter http://router_IP_address,
the it prompts me for authetication, which password should I use, "exec123" or "privi123"?
Can someone explain to me how this work, and if it works at all? Thanks.
David

here is the "debug aaa authen" and "debug aaa author" on the router:
C2621#term mon
C2621#
Feb 25 23:11:33.967 UTC: AAA/AUTHOR/TAC+: (3081244823): send AV cmd-arg=monitor
Feb 25 23:11:33.971 UTC: AAA/AUTHOR/TAC+: (3081244823): send AV cmd-arg=
Feb 25 23:11:34.183 UTC: TAC+: (-1213722473): received author response status = PASS_ADD
Feb 25 23:11:34.187 UTC: AAA/AUTHOR (3081244823): Post authorization status = PASS_ADD
Feb 25 23:11:34.187 UTC: AAA/MEMORY: free_user (0x8276F8AC) user='ddt123' ruser='C2621' port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
Feb 25 2007 23:11:36 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(24127), 1 packet
Feb 25 2007 23:11:38 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(14840), 1 packet
Feb 25 23:11:39.248 UTC: AAA/AUTHEN/LOGIN (00000000): Pick method list 'VTY'
Feb 25 23:11:39.268 UTC: AAA/AUTHOR (00000000): Method=None for method list id=A0000003. Skip author
Feb 25 2007 23:11:40 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(36781), 1 packet
Feb 25 2007 23:11:41 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted udp 192.168.4.10(2537) -> 192.168.15.1(161), 1 packet
Feb 25 23:11:42.553 UTC: AAA/AUTHEN/LOGIN (00000000): Pick method list 'VTY'
Feb 25 2007 23:11:43 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(19535), 1 packetu
All possible debugging has been turned off
C2621#
Feb 25 23:11:46.552 UTC: AAA: parse name=tty66 idb type=-1 tty=-1
Feb 25 23:11:46.552 UTC: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0
Feb 25 23:11:46.552 UTC: AAA/MEMORY: create_user (0x8276AD88) user='ddt123' ruser='C2621' ds0=0 port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): Port='tty66' list='VTY' service=CMD
Feb 25 23:11:46.556 UTC: AAA/AUTHOR/CMD: tty66(1541751897) user='ddt123'
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV service=shell
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd=undebug
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd-arg=all
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd-arg=
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): found list "VTY"
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): Method=tacacs+ (tacacs+)
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): user=ddt123
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV service=shell
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd=undebug
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd-arg=all
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd-arg=
Feb 25 23:11:46.768 UTC: TAC+: (1541751897): received author response status = PASS_ADD
Feb 25 23:11:46.772 UTC: AAA/AUTHOR (1541751897): Post authorization status = PASS_ADD
Feb 25 23:11:46.772 UTC: AAA/MEMORY: free_user (0x8276AD88) user='ddt123' ruser='C2621' port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 vrf= (id=0)no
Feb 25 2007 23:11:47 UTC: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 976 packets
C2621#
David

AAA authentication not working and 'default' method list

Guys,
I hope someone can help me here in troubleshooting AAA issue. I have copied configuration and debug below. The router keeps using local username/password even though ACS servers are reachable and working. From debugs it seems it keeps using 'default' method list ignoring TACACS config. Any help will be appreciated
Config
aaa new-model
username admin privilege 15 secret 5 xxxxxxxxxx.
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization reverse-access default group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 0006140E54xxxxxxxxxx
ip tacacs source-interface Vlan200
Debugs
002344: Dec 5 01:36:03.087 ICT: AAA/BIND(00000022): Bind i/f
002345: Dec 5 01:36:03.087 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
002346: Dec 5 01:36:11.080 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
core01#
002347: Dec 5 01:36:59.404 ICT: AAA: parse name=tty0 idb type=-1 tty=-1
002348: Dec 5 01:36:59.404 ICT: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
002349: Dec 5 01:36:59.404 ICT: AAA/MEMORY: create_user (0x6526934) user='admin' ruser='core01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
002350: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port='tty0' list='' service=CMD
002351: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user='admin'
002352: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV service=shell
002353: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd=configure
002354: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=terminal
002355: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=<cr>
002356: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found list "default"
002357: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=tacacs+ (tacacs+)
002358: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): user=admin
002359: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV service=shell
002360: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd=configure
002361: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=terminal
002362: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=<cr>
Enter configuration commands, one per line. End with CNTL/Z.
core01(config)#
002363: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = ERROR
002364: Dec 5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=LOCAL
002365: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = PASS_ADD
002366: Dec 5 01:37:04.261 ICT: AAA/MEMORY: free_user (0x6526934) user='admin' ruser='core01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15
core01(config)#

Are the tacacs+ servers reachable using the source vlan 200. Also in the tacacs+ server can you check if the IP address for this device is correctly configured and also please check the pwd on both the server and this device match.
As rick suggested sh tacacs would be good as well. That would show failures and successes
HTH
Kishore

AAA authentication and authorization question

Hi Everyone,
I have a situation that is driving me crazy.
I am using Cisco Freeware TACACS running on RedHat
Enterprise Linux 3. I've modified the source code
so that I can assign each individual users his/her
own enable password. So far so good.
I create two groups: group_A and group_S. group_A
is for advanced users and group_S is for super
users. Users that belong to group_A can have
privilege level 15 but there are certain commands
that they can not perform such as "write mem"
or "reload". users that belong to group_S can do
EVERYTHING.
Here is my configuration on the TACACS configuration
file:
user = xyz {
member = admin
name = "User X"
login = des 6.z8oIm9UGHo
user = $xyz$ {
member = admin
name = "User X"
login = des c2bUC43cmsac.
user = abc {
member = advanced
name = "User abc"
login = cleartext "cisco123"
user = $abc$ {
member = advanced
name = "User abc"
login = cleartext "cisco123"
group = advanced {
default service = deny
cmd = show { permit .* }
cmd = copy { permit flash }
cmd = copy { permit running }
cmd = ping { permit .* }
cmd = configure { permit .* }
cmd = enable { permit .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = disconnect { permit .* }
cmd = where { permit .* }
cmd = set { permit .* }
cmd = clear { permit line }
cmd = exit { permit .* }
group = admin {
default service = permit
configuration of the router:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication login web local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec TAC start-stop group tacacs+
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 TAC start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 TAC start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 10 TAC start-stop group tacacs+
aaa accounting commands 15 TAC start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa session-id common
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
However, what I would like to do is to assign users
in group_A the ability to go into "configuration t"
but I do NOT want them to have the ability to peform
"no tacacs-server host x.x.x.x key cisco". Furthermore,
I would like to do everything via TACACS, I don't
want configure "privilege level" on the router itself.
Is that possible? Thanks.
David

Command Authorization Sets?Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a00800ada4c.html

Aaa authorization console command

Hi,
I don't really understand the need of the command "aaa authorization console".
We indeed often configure these lines, which according to me already ar eapplied by default to VTY, Console, etc ...:
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
Am I wrong? Or do these lines apply only to the VTY linse?
Thanks by advance

I learned this locking out form console today in the hard-way
we use as standard
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
and I missed the trailing "if-authenticated" in line "aaa authorization exec default local group tacacs+ if-authenticated", unfortuanatly also the tacacs serves wasn't reachable.
So no way to log in without the hard way rebooting and reconfiguring again

AAA Authentication Question

Here is the config I have on a switch:
aaa authentication login default group tacacs+ local
aaa authentication login vtylogin group tacacs+ local
aaa authentication login conlogin group tacacs+ enable none
aaa authentication enable default tacacs+ enable
Now here are my issues:
1- When I login from console my login from Tacacs works, but when I type "enable" and try to use my Active Directory password it does not work. Then I try the enable password, it does not work. However if I change the 4th Line to "aaa authentication enable default enable", I can proceed using the enable password.
2- My second issue is when I SSH into the switch, I only want it to use the tacacs server and only use local database when the tacacs is not available. However even when tacacs is available I am still able to log into it using the local user account. I am assuming that is by design? Is there a way to stop that if it is not by design?

But it won't use you local database unless your tacacs+ server is unavailable so I really don't see the problem.
If the router uses your local database to authenticate then there is a communication problem with your tacacs+ server so he is using the next method listed in your command which is local database. As I said before do a debug aaa authentication and you will see the router is attempting to communicate with the tacacs+ server and only if it times out then is he going to use an alternative method if it is listed in method list.

AAA Authentication for Traffic Passing through ASA

I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
Am I missing something?
firewall# show run aaa
aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication match guestnetwork_access guestnetwork RADIUS
aaa authentication secure-http-client
firewall# show access-li guestnetwork_access
access-list guestnetwork_access; 2 elements
access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
firewall# show run aaa-s
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.250.14
key xxxxx
firewall# show run http
http server enable

your definition for the aaa-server is different to the aaa authentication server-group
try
aaa authentication http console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL

AAA Authentication and VRF-Lite

Hi!
I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.
The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).
Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:
--> Config Begins <---
aaa new-model
aa group server radius radius-auth
server x.x.4.23 auth-port 1645 acct-port 1646
server x.x.7.139 auth-port 1645 acct-port 1646
aaa authentication login default group radius-auth local
aaa authentication enable default group radius-auth enable
radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>
radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>
ip radius source-interface <outside-if> vrf 10
---> Config Ends <---
The VRF-Lite instance is configured like this:
---> Config Begins <---
ip vrf 10
rd 65001:10
---> Config Ends <---
Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.
I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.

Just wanted to help future people as some of the answers I found here were confusing.
This is all you need from the AAA perspective:
aaa new-model
aaa group server radius RADIUS-VRF-X
server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475
ip vrf forwarding X
aaa authentication login default group RADIUS-VRF-X local
aaa authorization exec default group X local if-authenticated
Per VRF AAA reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

No AAA authentication on Console port

I would like to configure our routers to use our ACS server for authentication and enable authorization for all telnet access but not use the ACS when connected to the console port. I was able to get the router configured so that console username and password access was local. However, when I attempt to go into enable mode from the console port the router still goes after the ACS server for the enble password. How do I get around this?

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
Thanks this does help. However, I'm still running into and issue. My ultimate goal is to have all users authenticate and get enable access through our ACS server based on there corporate NT domain username/pw. If the ACS server is unavailable go to the local data base. This is working fine for user telneting to the routers and also works for the console port (if the ACS server is unavailable).
However, with the ACS server active, when I console in I authenticate based on the local database admin/cisco. But when I attempt to go into enable mode the router still goes after the ACS server for a password. I would like console port users to always use the local enable password.
I'm just trying to protect myself from a possible misbehaved ACS server.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authentication enable default group tacacs+ enable
aaa authorization exec console local
enable secret 5 --moderator edit--
username --moderator edit--privilege 15 password 0 --moderator edit--
line con 0
exec-timeout 300 0
authorization exec console
login authentication console
line aux 0
line vty 0 4
password --moderator edit--

Aaa authentication enable command

Similar Messages

Maybe you are looking for