Re: [nsp] tacas bugs ??

From: Nabeel Madry (nmadry@instinet.com)
Date: Wed Mar 28 2001 - 09:28:07 EST


True. One way we were able to get around was to configure routers to auto-telnet to
a loopback interface when someone connects to the console. To avoid having users
enter username/password info twice, we added the Console interface to a AAA group
that was set to not authenticate. May want to give it a shot...

aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication login console none
...
line con 0
 no motd-banner
 login authentication console
 autocommand telnet a.b.c.d (Loopback0)

"Young, Jason" wrote:

> AAA authorization is not applied to the console port. I ran into this while
> configuring TACACS+ on all of our routers in my previous life. I forget exactly
> what Cisco's rationalization for this is (something to do with functionality in
> case the TACACS+ server fails), but it's documented in several places.
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur
> _c/scprt1/scauthor.htm#xtocid225285
>
> Jason Young
> CNS - Network Design, Anheuser-Busch
> (314)577-4597
>
> > -----Original Message-----
> > From: eric chan [mailto:bigeric123@hotmail.com]
> > Sent: Wednesday, March 28, 2001 12:21 AM
> > To: cisco-nsp@puck.nether.net
> > Subject: [nsp] tacas bugs ??
> >
> >
> > i have setup tacas with cisco router for access control
> >
> > aaa authentication login default group tacas line
> > aaa authentication enable default group tacas enable
> > aaa authorization command 15 default group tacas none.
> >
> > it works very well in telnet session. however, when i access
> > via console,
> > the authorization part failed, all user can type any
> > command in enable
> > mode. do you have any idea ?? is enable mode through console
> > not useing
> > level 15 ? thanks
> >
> >
> >
> > eric
> > ______________________________________________________________
> > ___________
> > Get Your Private, Free E-mail from MSN Hotmail at
> > http://www.hotmail.com.
> >



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:33 EDT