Security

Reply
Regular Contributor II

TACACS cisco switch to bypass the enable password

Hi Forum,

 

I'm  using CPPM 6.5 as a TACACS server and using the aes.arubanetworks  I configured the service and everything but I'm trying to bypass the enable password when a user with pre level 15 logs in to the cisco switch. any Idea how to do that?

 

thanks,

Guru Elite

Re: TACACS cisco switch to bypass the enable password

Level 15 is required to get into enable mode.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor II

Re: TACACS cisco switch to bypass the enable password

Prev 15 is what I have but I still have to type enable and then the password!

I want to login with my prev15 and not have to type enable.

 

thanks,

Regular Contributor II

Re: TACACS cisco switch to bypass the enable password

I can see in access tracker that I'm getting TACACS cisco priv15 profile but still get asked for the enable password. My cisco switch configs are:

 

 

aaa authentication login default group tacacs+ local

aaa authentication enable default none

aaa authorization exec default group tacacs+ local 

aaa authorization commands 0 default group tacacs+ local 

aaa authorization commands 1 default group tacacs+ local 

aaa authorization commands 15 default group tacacs+ local 

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

 

 

 

Thanks,

Regular Contributor II

Re: TACACS cisco switch to bypass the enable password

Also, I can't get CPPM to push back a prev level 1 to the switch or any level other than 15. 

Aruba Employee

Re: TACACS cisco switch to bypass the enable password

First, you might need to add the enable to your aaa authorization comand:

 

aaa authentication login default group tacacs+ local enable

 

For command auth, you will need these commands (for priv 15 users):

 

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization commands 15 defaut group tacacs+ local

aaa authorization config-commands

 

Doing some further research, if you want to bypass the enable prompt (only works via SSH/Telnet and NOT via console), you would need modify your aaa authorization exec command as follows:

 

aaa authorization exec default group tacacs+ if-authenticated

 

Then a level 15 return upon SSH/Telnet auth should drop you right into enable mode.

 

Hope this helps.

Thanks,

Zach Jennings
Regular Contributor II

Re: TACACS cisco switch to bypass the enable password

Thanks for your replay, for some reason I wasn't notified via email that I received a replay. Here is how I got it configured but it is still the same behavior.

 

aaa group server tacacs+ cppm

 server 10.10.210.67

!

aaa authentication login default group tacacs+ local

aaa authentication enable default none

aaa authorization exec default group tacacs+ if-authenticated 

aaa authorization commands 1 default group tacacs+ if-authenticated 

aaa authorization commands 15 default group tacacs+ if-authenticated 

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

 

 

thanks again,

Guru Elite

Re: TACACS cisco switch to bypass the enable password

I don't see the line that Zjennings suggested.  Can you please add it and try again?

 

aaa authentication login default group tacacs+ local enable


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II

Re: TACACS cisco switch to bypass the enable password

I actually added that line Colin and it hasn't changed anything.

New Contributor

Re: TACACS cisco switch to bypass the enable password

you have to add priv-lvl 15 as authorization attribute in your enforcement profile.

 

Go to Configuration » Enforcement » Profiles » Edit Enforcement Profile -"your profile"

Privilege Level: 15

Selected Services:Shell

Authorize Attribute Status:ADD

inn service Attributes add:

Shell -- priv-lvl  = 15

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: