no enable prompt

Hi all,

I have a Cisco switch which is configured to use TACACs authentication. When I SSH to the switch and enter my user name and password, I am being logged to privileged level 15 (the switch does not prompt me for the enable password!). I want to disable this, but I cannot figure out what is causing it. I have checked configuration of my vty's and no privilege level is defined there. There is nothing wrong with my tacacs server either, since other switches that use it force me to enter enable password. Could you please tell me what besides "privilege level x" on VTY's can cause this single switch to behave this way?

Thanks, AL

Reply to
aleu
Loading thread data ...

Check below, is your switch and IOS is in list of effected ones.

formatting link

Rgds.... NONU

Reply to
CK

Al,

Can you please paste the configuration related to VTY 0 4 & VTY 5 15?

Regards, Andy

Reply to
Andy

Thanks CK. My switch (3750G) does not seem to be affected.

Reply to
aleu

Andy, my VTYs are quite simple:

line con 0 exec-timeout 0 0 privilege level 15 line vty 0 4 transport input telnet ssh line vty 5 15 transport input telnet ssh !

Reply to
aleu

This most likely is an attribute coming from the AAA server. The proper way to turn it off would be to do it on a selective basis on the AAA server. If this is not possible, the command in your configuration that tells the device to consider authorization from AAA would be:

aaa authorization exec group tacacs

Just remove this line and it will disable the behavior for everyone.

Scott

formatting link

snipped-for-privacy@vp.pl wrote:

Reply to
xpresslearn.com

Scott, I do not have this line in my running configuration. The only AAA lines are:

aaa new-model aaa authentication enable default group tacacs+ enable aaa authentication login default group tacacs+ local aaa accounting exec default start-stop group tacacs+ aaa session-id common

Reply to
aleu

I'm going to suspect it has something to do with:

aaa authentication enable default group tacacs+ enable

which says the enable password should be verified against the tacacs server and fail back to the local enable password if the tacacs server is not available.

If you haven't tried it already, remove this line to see if there is any change in the behavior.

Scott

snipped-for-privacy@vp.pl wrote:

Reply to
xpresslearn.com

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.