[tac_plus] Please help with implementing "auto-enable" on Cisco Catalyst switches running CatOS

[jathan.]

Hello-

I just inherited a handful of crusty Cisco Catalyst 4006 switches running
CatOS, and I need to integrate them into my support tools. Part of this
requirement is automatically enabling users upon login, as we do not like
the enable being known by humans except in the event of maintenance or
emergencies (or maintenance emergencies!), so we use privilege escalation on
the server-side to do this.

I have managed authentication for many thousands of device of various
vendors, shapes, and sizes over the years, but this is the first time I've
ever wrangled with CatOS and also the first time I've ever had a problem
making auto-enable work with little trouble.

What I have in the server config is this:

## Production Engineers
## priv-lvl = 15
group = engineers {
        default service = permit
        service = exec {
                priv-lvl = 15
        }
}

So what we normally see with Cisco devices is something like this:

...
User Access Verification

Username: jathan
Password: ********

cisco-router#
...

So far I have been unable to get this Catalyst switch to automatically
enable me. In perusing the Cisco support forums it seems to be fully
supported, but of course all of the "help" there-in refers to Cisco's ACS,
and so really isn't too helpful.

Here is what is configured on the switch (non-tacacs stuff ommitted):

#tacacs+
set tacacs server 1.2.3.4 primary
set tacacs server 2.4.6.8
set tacacs attempts 3
set tacacs directedrequest disable
set tacacs key abc123
set tacacs timeout 5

#authentication
set authentication login tacacs enable console primary
set authentication login tacacs enable telnet primary
set authentication enable tacacs disable console
set authentication enable tacacs disable telnet
set authentication enable local enable console
set authentication enable local enable telnet

#accounting
set accounting exec enable start-stop tacacs+
set accounting connect enable start-stop tacacs+
set accounting system enable start-stop tacacs+
set accounting commands enable all start-stop tacacs+
set accounting suppress null-username disable

#authorization
set authorization exec enable tacacs+ none console
set authorization exec enable tacacs+ none telnet
set authorization enable disable console
set authorization enable disable telnet
set authorization commands disable console
set authorization commands disable telnet

I am curious if anyone else has conquered this challenge and what
combination of device commands and tac_plus configuration tweaks are
necessary to make it work.

Thanks in advance for any help on this matter!

-- 
Jathan.
-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20100127/b3be445d/attachment.html