[c-nsp] Tacacs problem - 2950

Dario dario.donsion at soporte.rediris.es
Tue Nov 28 11:16:11 EST 2006 

Hi,

You can configure something like this:

	enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXX
	...
	aaa new-model
	aaa authentication login TELNET group tacacs+ line enable
	aaa authentication enable default group tacacs+ enable
	aaa accounting exec default start-stop group tacacs+
	aaa accounting commands 0 default start-stop group tacacs+
	aaa accounting commands 2 default start-stop group tacacs+
	aaa accounting commands 3 default start-stop group tacacs+
	aaa accounting commands 4 default start-stop group tacacs+
	aaa accounting commands 15 default start-stop group tacacs+
	aaa accounting network default start-stop group tacacs+
	...
	line vty 0 4
	 password 7 XXXXXXXXXXXXXXXXXXXXXXXX
	 login authentication TELNET

If you enter by telnet then first option is tacacs then line (telnet) and last option is enable.
That's is for login, for enable: tacacs then enable.

If your tacacs fails and you want the router ask for an user/pw you need to define the user 
in the router:

	username noc password 7 XXXXXXXXXXXXXXXXXXXXXXXX

Also you need to specify the commans allowed for the diferent levels, for example:

	privilege exec level 2 clear counters
	privilege exec level 2 show version
	privilege exec level 2 show hardware

(also in the your tacacs server: tacacs conf)

Al works for our 2960 routers, hope it helps,

Regards,

	Dario D.

El Martes, 28 de Noviembre de 2006 16:39, Paul Stewart escribió:
> We are moving towards total Tacacs+ implementation here and many devices
> are cut over and working fine...
> 
> My first 2950-T switch came up in the list and I'm having problems
> getting it to work and not sure why...
> 
> aaa new-model
> aaa authentication login default group tacacs+ enable
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 0 default start-stop group tacacs+
> aaa accounting commands 2 default start-stop group tacacs+
> aaa accounting commands 3 default start-stop group tacacs+
> aaa accounting commands 4 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting network default start-stop group tacacs+
> tacacs-server host xxx.xxx.xxx.181 timeout 5
> tacacs-server key 7 XXXXXXXXXXXXXXXXXXXXXXXX
> 
> line vty 0 4
>  password 7 XXXXXXXXXXXXXXXXXXXX
> line vty 5 10
>  password 7 XXXXXXXXXXXXXXXXXXXX
> 
> 
> It won't prompt for username, only for password - and the password it
> accepts via telnet is the enable password itself.  The password entry on
> the "line vty 0 4" is not used but without it I cannot login at all...
> 
> this is the same config I've used on 6500's, GSR's and even 2924
> switches... trying to figure out what makes the 2950 different...;)
> 
> Thanks,
> 
> Paul
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
>

More information about the cisco-nsp mailing list