Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2216
Views
5
Helpful
3
Replies

ACS authentication with RSA/ACE server, seperate enable password on ACS ?

david.xu
Level 1
Level 1

‎06-23-2005 08:07 AM

Hello,

I am seting up an CiscoACS server to do AAA with RSA for all Cisco switch and router.

I have no problem to telnet into a device by user account on ACS and passcode with RSA/ACE server. My question is can I configure a spereated enable password for each account on ACS server local instead of using local enable password?

Thanks,

David

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎06-24-2005 05:08 AM

David

I am not sure that I fully understand your question. But what I think you are asking is whether it is possible to authenticate for enable/privilege mode via ACS (RSA) rather than authenticating with the configured enable password on the routers and switches. If this is correct there is a simple answer: yes you can by configuring:

aaa authentication enable default group tacacs+ enable

this will send all requests for enable mode to the ACS server for authentication and will use the locally configured enable password if it is not possible to get an answer from the ACS server.

If I did not understand your question correctly please clarify.

HTH

Rick

HTH

Rick
0 Helpful

david.xu
Level 1
Level 1
In response to Richard Burts

‎06-24-2005 08:39 AM

My question is not about how to configure the router, is for how to configure on Cisco ACS server?

For example, I have a user configured on ACS server

username admin, password authentication is using external RSA/ACE server(Secure Token ID).

I log into the router by telnet without any problem at this step.

Then I try go to enable privilige mode, but I don't like to use RSA/ACE server to do the authentication for enable password this time, I just want to use a seperated local Cisco ACS password(for this username) to login, is it possible?

Thanks,

David

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to david.xu

‎06-24-2005 09:55 AM

David

I am still somewhat confused. You seem to be saying that you do not want to use the authentication server to authenticate enable mode, and then you say that you want an ACS password.

I believe that your choices are to use the authentication server to authenticate enable and each persom who is to be allowed into enable mode will use individual passwords or to use authentication of enable locally on the router in which case it is a shared password (the same password for everyone).

If you do local authentication (authentication on the router rather than through the ACS server) there is an option to create unique usernames and passwords which are used to authenticate to user mode. But there is not a facility to define unique personal passwords for enable mode.

HTH

Rick

HTH

Rick
Customers Also Viewed These Support Documents