[c-nsp] SOLVED: RE: Tacacs problem - 2950

Paul Stewart pstewart at nexicomgroup.net
Tue Nov 28 11:15:55 EST 2006 

Thanks.... the server is reachable from the switch no problem and works
fine from others so I'm ruling out a Tacacs server problem
specifically....

I've checked and we have no firewalls directly between the two as
well...;)

Actually, just by chance I checked the logs on the Tacacs server and
found a key issue.. I had copied (cut/paste) the config from another
router over to this switch and after re-typing in the key it started
working... whoops...

Thanks everyone... makes more sense now...heehe..

Paul



-----Original Message-----
From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com] 
Sent: Tuesday, November 28, 2006 11:08 AM
To: Paul Stewart; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Tacacs problem - 2950


cisco-nsp-bounces at puck.nether.net <> wrote on Tuesday, November 28, 2006
4:40 PM:

> We are moving towards total Tacacs+ implementation here and many 
> devices are cut over and working fine...
> 
> My first 2950-T switch came up in the list and I'm having problems 
> getting it to work and not sure why...
> 
> aaa new-model
> aaa authentication login default group tacacs+ enable aaa accounting 
> exec default start-stop group tacacs+ aaa accounting commands 0 
> default start-stop group tacacs+ aaa accounting commands 2 default 
> start-stop group tacacs+ aaa accounting commands 3 default start-stop 
> group tacacs+ aaa accounting commands 4 default start-stop group 
> tacacs+ aaa accounting commands 15 default start-stop group tacacs+ 
> aaa accounting network default start-stop group tacacs+ tacacs-server 
> host xxx.xxx.xxx.181 timeout 5 tacacs-server key 7 
> XXXXXXXXXXXXXXXXXXXXXXXX
> 
> line vty 0 4
>  password 7 XXXXXXXXXXXXXXXXXXXX
> line vty 5 10
>  password 7 XXXXXXXXXXXXXXXXXXXX
> 
> 
> It won't prompt for username, only for password - and the password it 
> accepts via telnet is the enable password itself.  The password entry 
> on the "line vty 0 4" is not used but without it I cannot login at 
> all...

Do you see a delay when you open a telnet connection before it actually
prompts you for the password? The fact that it requires the enable
password likely points to a problem building the TCP connection to the
T+ server: You used "enable" as the fallback method, so you need to use
the enable password in case T+ is unavailable. If you wanted to use the
"line" password, you'd have to configure it (aaa authen login default
group tacacs+ line)..
can you try "telnet xxx.xxx.xxx.181 49" from the router and see if you
get a connect?


	oli

More information about the cisco-nsp mailing list