[c-nsp] Cisco 2611XM as console router

David Prall dcp at dcptech.com
Mon Feb 6 22:58:32 EST 2006

Hash: SHA256

For the async lines on the terminal server you can define a aaa profile that doesn't require login. This will bypass login for the async lines and only require the login to the console port on the connected router. It has been a while since I actually configured this, so I don't have a sample.

- --
David C Prall dcp at dcptech.com http://dcp.dcptech.com

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of 
> Oliver Boehmer (oboehmer)
> Sent: Monday, February 06, 2006 8:01 AM
> To: Jee Kay; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Cisco 2611XM as console router
> Jee Kay <> wrote on Monday, February 06, 2006 1:20 PM:
> > I've got a pair of 2611XMs (12.3(6f)) that we're using as console
> > routers. 
> > 
> > To authenticate to the routers, we are using SecurID tokens 
> which only
> > change once a minute... soo, quite often what happens is you have to
> > log onto the router, 'connect <device>' which prompts you to
> > authenticate again, wait a minute to authenticate, get console of
> > <device>, wait a minute, authenticate again.
> > 
> > What I was wondering is if there is a way to prevent the Cisco
> > requiring new authentication when you connect to the async lines? I
> > realise if you connect to a port directly from external you 
> obviously
> > should still authenticate (telnet mgt-router 20xx), but if you are
> > connecting to the port _from the router itself_, is there a way to
> > skip that second auth request?
> I don't think there is a way to suppress the authentication when
> connecting to the async lines from within the router, but have you
> evaluated doing this on your AAA/T+ backend? 
> You should be able to distinguish the local from the remote 
> connections
> by looking at the rem_addr Tacacs+ attribute which contains the user's
> remote address, which is local to the router when connecting 
> locally. By
> using a "ip telnet source-interface <interface>", you can make this a
> fixed address (no matter which destination the user uses).. 
> Might not be a trivial task, not sure which T+ servers allow this kind
> of control..
> 	oli
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

Version: PGP Desktop 9.0.4 (Build 4042)


More information about the cisco-nsp mailing list