[c-nsp] Tacacs problem - 2950
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Tue Nov 28 11:07:39 EST 2006
cisco-nsp-bounces at puck.nether.net <> wrote on Tuesday, November 28, 2006
4:40 PM:
> We are moving towards total Tacacs+ implementation here and
> many devices
> are cut over and working fine...
>
> My first 2950-T switch came up in the list and I'm having problems
> getting it to work and not sure why...
>
> aaa new-model
> aaa authentication login default group tacacs+ enable
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 0 default start-stop group tacacs+
> aaa accounting commands 2 default start-stop group tacacs+
> aaa accounting commands 3 default start-stop group tacacs+
> aaa accounting commands 4 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting network default start-stop group tacacs+
> tacacs-server host xxx.xxx.xxx.181 timeout 5
> tacacs-server key 7 XXXXXXXXXXXXXXXXXXXXXXXX
>
> line vty 0 4
> password 7 XXXXXXXXXXXXXXXXXXXX
> line vty 5 10
> password 7 XXXXXXXXXXXXXXXXXXXX
>
>
> It won't prompt for username, only for password - and the password it
> accepts via telnet is the enable password itself. The
> password entry on
> the "line vty 0 4" is not used but without it I cannot login at all...
Do you see a delay when you open a telnet connection before it actually
prompts you for the password? The fact that it requires the enable
password likely points to a problem building the TCP connection to the
T+ server: You used "enable" as the fallback method, so you need to use
the enable password in case T+ is unavailable. If you wanted to use the
"line" password, you'd have to configure it (aaa authen login default
group tacacs+ line)..
can you try "telnet xxx.xxx.xxx.181 49" from the router and see if you
get a connect?
oli
More information about the cisco-nsp
mailing list