[c-nsp] Cisco 2611XM as console router

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Mon Feb 6 08:00:31 EST 2006


Jee Kay <> wrote on Monday, February 06, 2006 1:20 PM:

> I've got a pair of 2611XMs (12.3(6f)) that we're using as console
> routers. 
> 
> To authenticate to the routers, we are using SecurID tokens which only
> change once a minute... soo, quite often what happens is you have to
> log onto the router, 'connect <device>' which prompts you to
> authenticate again, wait a minute to authenticate, get console of
> <device>, wait a minute, authenticate again.
> 
> What I was wondering is if there is a way to prevent the Cisco
> requiring new authentication when you connect to the async lines? I
> realise if you connect to a port directly from external you obviously
> should still authenticate (telnet mgt-router 20xx), but if you are
> connecting to the port _from the router itself_, is there a way to
> skip that second auth request?

I don't think there is a way to suppress the authentication when
connecting to the async lines from within the router, but have you
evaluated doing this on your AAA/T+ backend? 
You should be able to distinguish the local from the remote connections
by looking at the rem_addr Tacacs+ attribute which contains the user's
remote address, which is local to the router when connecting locally. By
using a "ip telnet source-interface <interface>", you can make this a
fixed address (no matter which destination the user uses).. 

Might not be a trivial task, not sure which T+ servers allow this kind
of control..

	oli



More information about the cisco-nsp mailing list