Aaa authentication enable console (server_name) password issue

Here is the problem I am experiencing and I hope someone out there is able to help;
I have a ASA5510 (running software Version 8.0(3)). I have enabled remote authentication to our company's TACAC server (which is running TACAC open source supplied by Cisco).
The problem is as follows;
I can telnet to the appliance remote and using my username and password (configured on the TACAC server) I am authenticated. But after entering enable - I am prompted with the password prompt. But I can not get pass this prompt. I have tried the same password as I previous enter at the telnet prompt and failed, the local enable password fails as well. Any suggestion.
aaa-server (server_name) protocol tacacs+
aaa-server (server_name) (interlinkport) host (Address)
key (password)
aaa authentication enable console (server_name) LOCAL
aaa authentication enable console (server_name) LOCAL
aaa authentication http console (server_name) LOCAL
aaa authentication serial console (server_name) LOCAL
aaa authentication ssh console (server_name) LOCAL
aaa authentication telnet console (server_name) LOCAL
aaa accounting command privilege 15 (server_name)
aaa authorization exec authentication-server

I think I can help you here since I've been using Cisco
Freeware TACACS+ for almost 7 years now. I am not
an expert, just enough to be dangerous.
Since the code is open-source, each company uses
differently; however, there is one thing that will
always true. That would be the the enable.c file,
which is a C program. You would need to modify
this file so that EVERYONE can have his/her own
enable password, just like Cisco ACS running on
Windows platforms.
the configuration file would look something like this:
accounting file = /var/log/tac_plus.log
key = zFgGkIooIsZ.Q
user = cciesec {
member = admin
name = "ccie security"
login = cleartext "cciesec"
user = $cciesec$ {
member = admin
name = "ccie security"
login = cleartext "cciesec1"
group = admin {
default service = permit
On the Pix:
aaa-server NEO protocol tacacs+
aaa-server NEO (outside) host 192.168.15.10
timeout 5
key cciesec
aaa authentication ssh console NEO LOCAL
aaa authentication enable console NEO LOCAL
Here is the login sequence:
[root@dca2-LinuxES root]# ssh -l cciesec 192.168.0.25
The authenticity of host '192.168.0.25 (192.168.0.25)' can't be established.
RSA key fingerprint is c2:48:15:85:92:7f:56:15:a8:0f:80:d9:88:50:fd:1c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.25' (RSA) to the list of known hosts.
[email protected]'s password:
Type help or '?' for a list of available commands.
CiscoPix> en
Password: ********
CiscoPix#
In other words, my initial password is "cciesec" and my enable password
is "cciesec1". Another user "tom" will have his own login and enable
password.
Simple enough?

Similar Messages

Aaa authentication enable console issue

I have an ASA5505 running 8.2(5). It is configured with
aaa authentication telnet console xxxxxx LOCAL
and I am able to use my username and password to telnet in, but I then have to use the local enable password to get to privilege exec mode.
I tried configuring aaa authentication enable console xxxxxx LOCAL so that when I try to access privilege exec mode,I would be prompted for my password instead of the enable password, but it doesn't work.
I also tried removing the aaa authentication telnet console xxxxxx LOCAL and telenetted in with the local passwd.
I was prompted for a username and password when trying to get to priv exec mode, but again, the credentials did not work.
Could there be something that needs to be changed on the ACS server to make this work?
Thanks.

Using TACACS+
No command authorization rules are being used
When I add the aaa authentication enable console xxxxxxxx LOCAL command,
and use login instead of enable, I get Login failed if I try to use my credentials.
However, if I use login with the locally configured username and password, it lets me in.
Here is the config (without the aaa authentication enable console command):
User Access Verification
Username: xxx/xxxxxxxxxx
Password: ************
Type help or '?' for a list of available commands.
FW> en
Password: ********
FW# sh ru
: Saved
ASA Version 8.2(5)
terminal width 511
hostname xxxxxxxx
enable password *********** encrypted
passwd *********** encrypted
names
interface Ethernet0/0
switchport access vlan xxx
interface Ethernet0/1
switchport access vlan xxx
shutdown
interface Ethernet0/2
switchport access vlan xxx
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlanxxx
nameif inside
security-level 100
ip address x.x.x.x x.x.x.x
interface Vlanxxx
nameif OUtside
security-level 0
ip address x.x.x.x x.x.x.x
ftp mode passive
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
group-object TCPUDP
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
group-object TCPUDP
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object udp
protocol-object tcp
access-list Outside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a
ny any inactive
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a
ny any
access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_1
any any inactive
access-list OUtside_access_in extended permit icmp any any
access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_3
any any
pager lines 24
logging enable
logging asdm informational
logging host inside x.x.x.x
mtu inside 1500
mtu OUtside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside
access-group OUtside_access_in in interface OUtside
route inside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server xxxxxxxxx protocol tacacs+
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa-server xxxxxxxxx (inside) host x.x.x.x
key *****
aaa authentication http console ******* LOCAL
aaa authentication ssh console ******* LOCAL
aaa authentication telnet console ******* LOCAL
aaa local authentication attempts max-fail 5
http server enable
http x.x.x.x x.x.x.x inside
http x.x.x.x x.x.x.x inside
snmp-server host inside x.x.x.x community ***** version 2c
snmp-server host OUtside x.x.x.x community ***** version 2c
snmp-server host inside x.x.x.x community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet x.x.x.x x.x.x.x inside
telnet x.x.x.x x.x.x.x inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config OUtside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ******* password ************** encrypted privilege 15
username ******* password ************** encrypted privilege 15
username ******* password ************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end
FW#
Thanks.

No AAA authentication on Console port

I would like to configure our routers to use our ACS server for authentication and enable authorization for all telnet access but not use the ACS when connected to the console port. I was able to get the router configured so that console username and password access was local. However, when I attempt to go into enable mode from the console port the router still goes after the ACS server for the enble password. How do I get around this?

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
Thanks this does help. However, I'm still running into and issue. My ultimate goal is to have all users authenticate and get enable access through our ACS server based on there corporate NT domain username/pw. If the ACS server is unavailable go to the local data base. This is working fine for user telneting to the routers and also works for the console port (if the ACS server is unavailable).
However, with the ACS server active, when I console in I authenticate based on the local database admin/cisco. But when I attempt to go into enable mode the router still goes after the ACS server for a password. I would like console port users to always use the local enable password.
I'm just trying to protect myself from a possible misbehaved ACS server.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authentication enable default group tacacs+ enable
aaa authorization exec console local
enable secret 5 --moderator edit--
username --moderator edit--privilege 15 password 0 --moderator edit--
line con 0
exec-timeout 300 0
authorization exec console
login authentication console
line aux 0
line vty 0 4
password --moderator edit--

Why do we need aaa authentication enable

Hi all
Why do we need the " aaa authentication enable default group tacacs+ enable" . Is " aaa authentication login default group tacacs+ enable"
is not enough ?
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
Thanks

Hi jatin ,
Just for clariffication , if i add " aaa authentication enable default group tacacs+ enable" , once authenticated device will go directly to enable mode .
As you said
aaa authentication login default group tacacs+ local
in case tacacs failed user has to enter local username and password . once it is authenticated
" aaa authentication enable default group tacacs+ enable " will be executed and the user have to enter the enable (local db ) secret .
Please correct me if iam wrong
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+

Aaa authentication enable default group tacacs+ enable

I am implementing CSACS 4.0. First on the client, I will apply aaa authenticatio/ authorization under vty. The issure if I use the followin command
aaa authentication enable default group tacacs+ enable
what will happen if I login via console? Will I be required to enter any username/password?
Below is my configuration
aaa new-model
aaa authentication login authvty group TACACS + local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 authvty TACACS+ local
TACACS-server host IP
Tacacs-server key key
Ip tacacs source-interface VLAN 3
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting exec authvty start-stop group tacacs+
aaa accounting commands 15 authvty start-stop group tacacs+
aaa accounting connection authvty start-stop group tacacs+
line vty 0 15
login authentication authvty
authorization commands 15 authvty
accounting connection authvty
accounting commands 15 authvty
accunting exec authvty
Any suggestion will be appreciated!

It should work because this is a message.banner prompt everytime you try to login (console/vty). I have it configured on my router.
If you have banner motd, it will be displayed as well (see below). So I ahve to remove it to get only the aaa banner & prompt being displayed:
*** Username: cisco, Password: cisco (priv 15f - local) ****
Unauthorized use is prohibited.
Enter your name here: user1
Enter your password now:
Router#
The config more or less looks like:
aaa new-model
aaa authentication banner ^CUnauthorized use is prohibited.^C
aaa authentication password-prompt "Enter your password now:"
aaa authentication username-prompt "Enter your name here:"
aaa authentication login default group radius
aaa authentication login CONSOLE local
HTH
AK

Aaa authentication enable command

Hi,
If I configure following command, how can I enter enable user name and password to get into enable prompt? Can someone explain to me how to enable tacacs autherntication for enable access?
"aaa authentication enable default group tacacs+ enable",
TIA
krishna

Assuming that your IOS device is otherwise correctly configured for TACACS (has the proper TACACS server address, proper TACACS key) and that the TACACS server is configured to recognize and process this machine as a client for authentication, then using this command:
aaa authentication enable default group tacacs+ enable
will cause the IOS device to send an authentication request to the TACACS server when someone attempts to access privilege mode. If the TACACS server does not respond the IOS device will use the local enable secret (or password) to authenticate enable mode. This is the only thing that you must do on the IOS device. On the TACACS server you must be sure that the user ID is correctly configured for access to this device and the user is checked for level 15 access.
HTH
Rick

Cisco Nexus AAA authentication and console access

We have nexus 7k with AAA authentication working now i have an issue i can't login using console port because my logins are rejected.Is there anyway we can login into console with local login details or we have to use ACS server (AAA) logins when connected to console (while ACS server is still reachable).
My main question is i want to login using console port while ACS server is still reachable is it possible?

Perhaps I am not understanding some parts of the original post and if so I would appreciate clarification of what I missed. But it seems to me that the main question in the original post is whether the original poster would be able to login on the console. And it seems to me that the high level answer is that yes login to the console should be possible. The details of how that would work are dependent on details of how the N7K is configured. If the original poster would provide some details of the configuration (especially all of the aaa authentication commands and the configuration of line con 0) we would be in a much better position to provide helpful answers.
HTH
Rick

Aaa authentication serial console LOCAL did not work!!

Hypertermed in and the console came right up. Privileged Exec mode does require a password but logging out (disable) requires username and password.
Also, neither the exec nor MOTD banners work but guess what, they show up upon logout as well ...
Ponderous, really ponderous.
ej

Hello,
It's an ASA 5505 and I'm currently on ver 8.2(5). I was on 9.2(2) but reset back to factory default out of frustration.

AAA Authentication for Traffic Passing through ASA

I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
Am I missing something?
firewall# show run aaa
aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication match guestnetwork_access guestnetwork RADIUS
aaa authentication secure-http-client
firewall# show access-li guestnetwork_access
access-list guestnetwork_access; 2 elements
access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
firewall# show run aaa-s
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.250.14
key xxxxx
firewall# show run http
http server enable

your definition for the aaa-server is different to the aaa authentication server-group
try
aaa authentication http console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL

AAA authentication not working and 'default' method list

Guys,
I hope someone can help me here in troubleshooting AAA issue. I have copied configuration and debug below. The router keeps using local username/password even though ACS servers are reachable and working. From debugs it seems it keeps using 'default' method list ignoring TACACS config. Any help will be appreciated
Config
aaa new-model
username admin privilege 15 secret 5 xxxxxxxxxx.
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization reverse-access default group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 0006140E54xxxxxxxxxx
ip tacacs source-interface Vlan200
Debugs
002344: Dec 5 01:36:03.087 ICT: AAA/BIND(00000022): Bind i/f
002345: Dec 5 01:36:03.087 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
002346: Dec 5 01:36:11.080 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
core01#
002347: Dec 5 01:36:59.404 ICT: AAA: parse name=tty0 idb type=-1 tty=-1
002348: Dec 5 01:36:59.404 ICT: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
002349: Dec 5 01:36:59.404 ICT: AAA/MEMORY: create_user (0x6526934) user='admin' ruser='core01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
002350: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port='tty0' list='' service=CMD
002351: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user='admin'
002352: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV service=shell
002353: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd=configure
002354: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=terminal
002355: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=<cr>
002356: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found list "default"
002357: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=tacacs+ (tacacs+)
002358: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): user=admin
002359: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV service=shell
002360: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd=configure
002361: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=terminal
002362: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=<cr>
Enter configuration commands, one per line. End with CNTL/Z.
core01(config)#
002363: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = ERROR
002364: Dec 5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=LOCAL
002365: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = PASS_ADD
002366: Dec 5 01:37:04.261 ICT: AAA/MEMORY: free_user (0x6526934) user='admin' ruser='core01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15
core01(config)#

Are the tacacs+ servers reachable using the source vlan 200. Also in the tacacs+ server can you check if the IP address for this device is correctly configured and also please check the pwd on both the server and this device match.
As rick suggested sh tacacs would be good as well. That would show failures and successes
HTH
Kishore

AAA Authentication Question

Here is the config I have on a switch:
aaa authentication login default group tacacs+ local
aaa authentication login vtylogin group tacacs+ local
aaa authentication login conlogin group tacacs+ enable none
aaa authentication enable default tacacs+ enable
Now here are my issues:
1- When I login from console my login from Tacacs works, but when I type "enable" and try to use my Active Directory password it does not work. Then I try the enable password, it does not work. However if I change the 4th Line to "aaa authentication enable default enable", I can proceed using the enable password.
2- My second issue is when I SSH into the switch, I only want it to use the tacacs server and only use local database when the tacacs is not available. However even when tacacs is available I am still able to log into it using the local user account. I am assuming that is by design? Is there a way to stop that if it is not by design?

But it won't use you local database unless your tacacs+ server is unavailable so I really don't see the problem.
If the router uses your local database to authenticate then there is a communication problem with your tacacs+ server so he is using the next method listed in your command which is local database. As I said before do a debug aaa authentication and you will see the router is attempting to communicate with the tacacs+ server and only if it times out then is he going to use an alternative method if it is listed in method list.

AAA authentication / Radius-Servers

Hello cisco folks,
Have a technical question I would like to ask. I'm able to setup my 3750e switch to login through a radius server with my company user id and password but would like to be able to set it up that when I log in it drops me on the enable prompt. Right now I have to type >en.
Then the enable password. Thanks in advance.
Paul

Hi Bro
Yes, this can be achieved in Cisco IOS devices but not in Cisco ASA. In Cisco ASA, you still have to type the "enable" command.
Just ensure you've the configuration shown below, and all should be good;
enable password cisco
aaa new-model
aaa authentication login VTY group radius local
aaa authentication login CONSOLE local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec VTY group radius local
username ram privilege 15 password 0 cisco
username cisco privilege 7 password 0 cisco
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip radius source-interface FastEthernet0/0
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco
privilege interface level 7 shutdown
privilege interface level 7 ip address
privilege interface level 7 ip
privilege interface level 7 no shutdown
privilege interface level 7 no ip address
privilege interface level 7 no ip
privilege interface level 7 no
privilege configure level 7 interface
privilege configure level 7 shutdown
privilege configure level 7 ip
privilege configure level 7 no interface
privilege configure level 7 no shutdown
privilege configure level 7 no ip
privilege configure level 0 no
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 undebug ip rip
privilege exec level 7 undebug ip
privilege exec level 7 undebug all
privilege exec level 7 undebug
privilege exec level 7 debug ip rip
privilege exec level 7 debug ip
privilege exec level 7 debug all
privilege exec level 7 debug
line con 0
authorization exec VTY
login authentication VTY
line aux 0
line vty 0 4
authorization exec VTY
login authentication VTY
end
Note: Ensure your user ID in your Radius server has the correct av-pair parameters shell:priv-lvl=15
P/S: if you think this comment is helpful, please do rate it nicely :-)

PIX 525 aaa authentication with both tacacs and local

Hi,
I have configured the aaa authentication for the PIX with tacacs protocol (ACS Server).
It works fine, now i would like to add the back up authentication, as follows:
- If the ACS goes down i can to be authenticated with the local database.
Is it possible with PIX, if yes how?

Hi,
I am trying to configure aaa using TACACS+ , i am not able to close.Problems are
1.It dosent ask for username /password in first level.
2.on second level it asks for user name it dosent authenticate the user .
Cud u pls let me know if the following config is correct.If not cud u help me .
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
aaa authen enable console TACACS+

AAA authentication when logging into the router via the web browser

Hi group,
I am trying to get access the a cisco 2621 via http and authentication
via AAA but there is something I am not quite understand.
I am using the freeware TACACS+ server running on RedHat Linux
Enterprise Server 3.0. I setup the TACACS+ account for myself with
enable privilege on the TACACS+ box. This account, let call it,
ddt123, can telnet/ssh into the IOS router and the enable secret
is associated with this account as setup in TACACS+.
Here is my configuration looks like on the TACACS+ file:
[root@dca2-LinuxES tacacs]# more tac_plus.cfg
accounting file = /var/log/tac_plus.log
key = zFgGkIooIsZ.Q
user = ddt123 {
member = admin
name = "ddt 123"
login = cleartext "exec123"
user = $ddt123$ {
member = admin
name = "ddt 123"
login = cleartext "privi123"
group = admin {
default service = permit
[root@dca2-LinuxES tacacs]#
Here is my configuration on the IOS device:
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication login web local enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
tacacs-server host 192.168.15.10 key ***
ip http server
ip http authentication aaa login-authentication VTY
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line vty 0 15
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
The question I have is that when I open the browser and enter http://router_IP_address,
the it prompts me for authetication, which password should I use, "exec123" or "privi123"?
Can someone explain to me how this work, and if it works at all? Thanks.
David

here is the "debug aaa authen" and "debug aaa author" on the router:
C2621#term mon
C2621#
Feb 25 23:11:33.967 UTC: AAA/AUTHOR/TAC+: (3081244823): send AV cmd-arg=monitor
Feb 25 23:11:33.971 UTC: AAA/AUTHOR/TAC+: (3081244823): send AV cmd-arg=
Feb 25 23:11:34.183 UTC: TAC+: (-1213722473): received author response status = PASS_ADD
Feb 25 23:11:34.187 UTC: AAA/AUTHOR (3081244823): Post authorization status = PASS_ADD
Feb 25 23:11:34.187 UTC: AAA/MEMORY: free_user (0x8276F8AC) user='ddt123' ruser='C2621' port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
Feb 25 2007 23:11:36 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(24127), 1 packet
Feb 25 2007 23:11:38 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(14840), 1 packet
Feb 25 23:11:39.248 UTC: AAA/AUTHEN/LOGIN (00000000): Pick method list 'VTY'
Feb 25 23:11:39.268 UTC: AAA/AUTHOR (00000000): Method=None for method list id=A0000003. Skip author
Feb 25 2007 23:11:40 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(36781), 1 packet
Feb 25 2007 23:11:41 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted udp 192.168.4.10(2537) -> 192.168.15.1(161), 1 packet
Feb 25 23:11:42.553 UTC: AAA/AUTHEN/LOGIN (00000000): Pick method list 'VTY'
Feb 25 2007 23:11:43 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(19535), 1 packetu
All possible debugging has been turned off
C2621#
Feb 25 23:11:46.552 UTC: AAA: parse name=tty66 idb type=-1 tty=-1
Feb 25 23:11:46.552 UTC: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0
Feb 25 23:11:46.552 UTC: AAA/MEMORY: create_user (0x8276AD88) user='ddt123' ruser='C2621' ds0=0 port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): Port='tty66' list='VTY' service=CMD
Feb 25 23:11:46.556 UTC: AAA/AUTHOR/CMD: tty66(1541751897) user='ddt123'
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV service=shell
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd=undebug
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd-arg=all
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd-arg=
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): found list "VTY"
Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): Method=tacacs+ (tacacs+)
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): user=ddt123
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV service=shell
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd=undebug
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd-arg=all
Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd-arg=
Feb 25 23:11:46.768 UTC: TAC+: (1541751897): received author response status = PASS_ADD
Feb 25 23:11:46.772 UTC: AAA/AUTHOR (1541751897): Post authorization status = PASS_ADD
Feb 25 23:11:46.772 UTC: AAA/MEMORY: free_user (0x8276AD88) user='ddt123' ruser='C2621' port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 vrf= (id=0)no
Feb 25 2007 23:11:47 UTC: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 976 packets
C2621#
David

Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

I have a Nexus 7010 running
Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
>>ip radius source-interface mgmt 0
>>radius-server key XXXXX
>>radius-server host X.X.X.X key XXXXX authentication accounting
>>radius-server host X.X.X.X key XXXXX authentication accounting aaa
>>authentication login default group Radius_Group aaa authentication
>>login console local aaa group server radius Radius_Group
>>    server X.X.X.X
>>    server X.X.X.X
>>    source-interface mgmt0
Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
shell:roles="vdc-admin" in the Attribute Value field in the RADIUS server
Does anyone know if this works????
Thanks

I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts!

Aaa authentication enable console (server_name) password issue

Similar Messages

Maybe you are looking for