tacacsü authentication

[Metalhead 10]

Hallo,

 

ich habe ein problem bei der tacacs+ authentication.

ich will auch das enable pwd via tacacs abfragen, doch leider funktioniert das nicht.

 

die pwds sind auf einem linux hobel im /etc/passwd file drinnen.

 

der login funkt schon, nur der wechsel in den enable mode geht noch nicht.

hat irgendwer eine idee?

 

cisco conf:

 

aaa new-model

aaa authentication login default group tacacs+ enable local

aaa authentication enable default group tacacs+

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting exec exec start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

 

 

conf file des tacacs:

 

key = "xxx"

# Set up accounting file if enabling accounting on NAS

accounting file = /var/log/tac.log

 

user = $enable$ {

login = file /etc/passwd

}

group = admin {

login = file /etc/passwd

 

}

 

group = operators {

login = file /etc/passwd

 

}

 

user = aaaaa {

default service = permit

member = admin

}

user = bbbbb {

default service = permit

member = admin

}

 

user = ccccc {

default service = permit

member = admin

}

user = dddd{

member = operators

cmd = show { permit .* }

cmd = traceroute { permit .* }

cmd = logout { permit .* }

cmd = enable { permit .* }

}