You already got some good advice on this, I’d like to add a couple of comments.
Since you have “aaa authorization exec …” in your config, the privilege level for the users could be assigned by the TACACS+ server, then the users would get that upon log-in rather than having to type enable and enter a password. You may want to add command accounting, to keep an audit trail of commands executed on your IOS devices: aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ Javier Henderson jav...@cisco.com > On Jul 30, 2014, at 8:39 AM, Sam Stickland <s...@spacething.org> wrote: > > Hi, > > I have a very simple TACACS+ configuration that is still using the local > enable secret and not the the TACACS server: > > aaa new-model > aaa authentication login default group tacacs+ local > aaa authorization exec default group tacacs+ local > aaa session-id common > > tacacs-server host x.x.x.x key 7 XXXXX > tacacs-server directed-request > > With this configuration I can login using the username and password > database of the TACACS server, but to enable I have to use the local secret. > > Checking "show tacacs" from a concurrent session shows the total packets > sent incrementing for a login, but not for "enable". Checking via Wireshark > on the TACACS server confirms this. > > I'm really stumped. Why does it not talk to the TACACS server for > exec/enable? > > This is a debug for a failed "enable" attempt: > > pub#show debug > General OS: > TACACS access control debugging is on > TACACS+ events debugging is on > TACACS+ authorization debugging is on > AAA Authentication debugging is on > AAA Authorization debugging is on > # > > 002046: *Mar 1 01:21:22.951 UTC: AAA: parse name=tty6 idb type=-1 tty=-1 > 002047: *Mar 1 01:21:22.951 UTC: AAA: name=tty6 flags=0x11 type=5 shelf=0 > slot=0 adapter=0 port=6 channel=0 > 002048: *Mar 1 01:21:22.951 UTC: AAA/MEMORY: create_user (0x3D24224) > user='adm' ruser='NULL' ds0=0 port='tty6' rem_addr='10.226.1.65' > authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0) > 002049: *Mar 1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976): > port='tty6' list='' action=LOGIN service=ENABLE > 002050: *Mar 1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976): > non-console enable - default to enable password > pub# > 002051: *Mar 1 01:21:22.951 UTC: AAA/AUTHEN/START (2841968976): > Method=ENABLE > 002052: *Mar 1 01:21:22.951 UTC: AAA/AUTHEN (2841968976): status = GETPASS > pub# > 002053: *Mar 1 01:21:26.154 UTC: AAA/AUTHEN/CONT (2841968976): > continue_login (user='(undef)') > 002054: *Mar 1 01:21:26.154 UTC: AAA/AUTHEN (2841968976): status = GETPASS > 002055: *Mar 1 01:21:26.154 UTC: AAA/AUTHEN/CONT (2841968976): > Method=ENABLE > 002056: *Mar 1 01:21:26.159 UTC: AAA/AUTHEN (2841968976): password > incorrect > 002057: *Mar 1 01:21:26.159 UTC: AAA/AUTHEN (2841968976): status = FAIL > 002058: *Mar 1 01:21:26.159 UTC: AAA/MEMORY: free_user (0x3D24224) > user='NULL' ruser='NULL' port='tty6' rem_addr='10.226.1.65' > authen_type=ASCII service=ENABLE > > And this is a debug for a success attempt (using the local enable secret): > > 002059: *Mar 1 01:22:16.202 UTC: AAA: parse name=tty6 idb type=-1 tty=-1 > 002060: *Mar 1 01:22:16.202 UTC: AAA: name=tty6 flags=0x11 type=5 shelf=0 > slot=0 adapter=0 port=6 channel=0 > 002061: *Mar 1 01:22:16.202 UTC: AAA/MEMORY: create_user (0x3D24224) > user='adm' ruser='NULL' ds0=0 port='tty6' rem_addr='10.226.1.65' > authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0) > 002062: *Mar 1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694): > port='tty6' list='' action=LOGIN service=ENABLE > 002063: *Mar 1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694): > non-console enable - default to enable password > pub# > 002064: *Mar 1 01:22:16.202 UTC: AAA/AUTHEN/START (3792887694): > Method=ENABLE > 002065: *Mar 1 01:22:16.208 UTC: AAA/AUTHEN (3792887694): status = GETPASS > pub# > 002066: *Mar 1 01:22:19.291 UTC: AAA/AUTHEN/CONT (3792887694): > continue_login (user='(undef)') > 002067: *Mar 1 01:22:19.291 UTC: AAA/AUTHEN (3792887694): status = GETPASS > 002068: *Mar 1 01:22:19.291 UTC: AAA/AUTHEN/CONT (3792887694): > Method=ENABLE > 002069: *Mar 1 01:22:19.306 UTC: AAA/AUTHEN (3792887694): status = PASS > 002070: *Mar 1 01:22:19.306 UTC: AAA/MEMORY: free_user (0x3D24224) > user='NULL' ruser='NULL' port='tty6' rem_addr='10.226.1.65' > authen_type=ASCII service=ENABLE priv=15 > > Neither of these appears to be trying the TACACS server, but the line: > > aaa authorization exec default group tacacs+ local > > is configured! > > Confuzzled. > > Regards, _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/