Security

last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

TACACS cisco switch to bypass the enable password

This thread has been viewed 6 times

  • 1.  TACACS cisco switch to bypass the enable password

    Posted Jul 16, 2015 02:39 PM

    Hi Forum,

     

    I'm  using CPPM 6.5 as a TACACS server and using the aes.arubanetworks  I configured the service and everything but I'm trying to bypass the enable password when a user with pre level 15 logs in to the cisco switch. any Idea how to do that?

     

    thanks,



  • 2.  RE: TACACS cisco switch to bypass the enable password

    EMPLOYEE
    Posted Jul 16, 2015 02:42 PM
    Level 15 is required to get into enable mode.


  • 3.  RE: TACACS cisco switch to bypass the enable password

    Posted Jul 16, 2015 02:45 PM

    Prev 15 is what I have but I still have to type enable and then the password!

    I want to login with my prev15 and not have to type enable.

     

    thanks,



  • 4.  RE: TACACS cisco switch to bypass the enable password

    Posted Jul 16, 2015 03:28 PM

    I can see in access tracker that I'm getting TACACS cisco priv15 profile but still get asked for the enable password. My cisco switch configs are:

     

     

    aaa authentication login default group tacacs+ local

    aaa authentication enable default none

    aaa authorization exec default group tacacs+ local 

    aaa authorization commands 0 default group tacacs+ local 

    aaa authorization commands 1 default group tacacs+ local 

    aaa authorization commands 15 default group tacacs+ local 

    aaa accounting dot1x default start-stop group radius

    aaa accounting exec default start-stop group tacacs+

    aaa accounting commands 1 default start-stop group tacacs+

    aaa accounting commands 15 default start-stop group tacacs+

    aaa accounting system default start-stop group tacacs+

     

     

     

    Thanks,



  • 5.  RE: TACACS cisco switch to bypass the enable password

    EMPLOYEE
    Posted Jul 20, 2015 07:41 AM

    First, you might need to add the enable to your aaa authorization comand:

     

    aaa authentication login default group tacacs+ local enable

     

    For command auth, you will need these commands (for priv 15 users):

     

    aaa authorization commands 15 default group tacacs+ if-authenticated

    aaa authorization commands 15 defaut group tacacs+ local

    aaa authorization config-commands

     

    Doing some further research, if you want to bypass the enable prompt (only works via SSH/Telnet and NOT via console), you would need modify your aaa authorization exec command as follows:

     

    aaa authorization exec default group tacacs+ if-authenticated

     

    Then a level 15 return upon SSH/Telnet auth should drop you right into enable mode.

     

    Hope this helps.



  • 6.  RE: TACACS cisco switch to bypass the enable password

    Posted Jul 24, 2015 03:32 AM

    Thanks for your replay, for some reason I wasn't notified via email that I received a replay. Here is how I got it configured but it is still the same behavior.

     

    aaa group server tacacs+ cppm

     server 10.10.210.67

    !

    aaa authentication login default group tacacs+ local

    aaa authentication enable default none

    aaa authorization exec default group tacacs+ if-authenticated 

    aaa authorization commands 1 default group tacacs+ if-authenticated 

    aaa authorization commands 15 default group tacacs+ if-authenticated 

    aaa accounting dot1x default start-stop group radius

    aaa accounting exec default start-stop group tacacs+

    aaa accounting commands 1 default start-stop group tacacs+

    aaa accounting commands 15 default start-stop group tacacs+

    aaa accounting system default start-stop group tacacs+

     

     

    thanks again,



  • 7.  RE: TACACS cisco switch to bypass the enable password

    EMPLOYEE
    Posted Jul 24, 2015 07:10 AM

    I don't see the line that Zjennings suggested.  Can you please add it and try again?

     

    aaa authentication login default group tacacs+ local enable


  • 8.  RE: TACACS cisco switch to bypass the enable password

    Posted Jul 26, 2015 04:41 AM

    I actually added that line Colin and it hasn't changed anything.



  • 9.  RE: TACACS cisco switch to bypass the enable password

    Posted Jul 20, 2015 05:21 AM

    Also, I can't get CPPM to push back a prev level 1 to the switch or any level other than 15. 



  • 10.  RE: TACACS cisco switch to bypass the enable password
    Best Answer

    Posted Oct 22, 2016 04:22 AM
      |   view attached

    you have to add priv-lvl 15 as authorization attribute in your enforcement profile.

     

    Go to Configuration » Enforcement » Profiles » Edit Enforcement Profile -"your profile"

    Privilege Level: 15

    Selected Services:Shell

    Authorize Attribute Status:ADD

    inn service Attributes add:

    Shell -- priv-lvl  = 15

     

     



  • 11.  RE: TACACS cisco switch to bypass the enable password

    Posted Jan 31, 2019 09:16 AM 
    Hello everyone, I had the same access problem described in this message. I solved it following the step by step indicated above. I leave the switch configuration and a profile capture. Greetings, Gabriel.

    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 5 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+