[c-nsp] Tacacs problem - 2950

Jorge Evangelista netsecuredata at gmail.com
Wed Nov 29 00:45:50 EST 2006


Hi, you can try this configuration

aaa new-model
aaa authentication fail-message ^Authentication Fails, Please try again^
aaa authentication login default tacacs+ line
aaa authentication login console tacacs+ line
aaa authentication login virtual_terminal tacacs+ line
aaa authentication enable default tacacs+ enable
aaa authentication attempts login 2
!
aaa authorization exec default tacacs+ none
aaa authorization commands 1 default tacacs+ none
aaa authorization commands 15 default tacacs+ none
!
aaa accounting exec default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+
aaa session-id common
!
line con 0
 password mypassword
 login authentication console

line vty 0 4
 password mypassword
 login authentication virtual_terminal
 transport input ssh
!
enable secret myd1f1cultpassword
!
tacacs-server host xxx.xxx.xxx.xxx
tacacs-server directed-request
tacacs-server key 7 101010165749491F5F4B
!



With this configuration, even if you lost administration because your
tacacs down, you can login to your router with password configured in
line vty 0 4, in this example you can login with "mypassword"

Also, if your IP public address is configured in your LAN interface
(example Ethernet0) you have put in configuration

ip tacacs source-interface Ethernet0

Regards,


On 11/28/06, Dario <dario.donsion at soporte.rediris.es> wrote:
> Hi,
>
> You can configure something like this:
>
>        enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXX
>        ...
>        aaa new-model
>        aaa authentication login TELNET group tacacs+ line enable
>        aaa authentication enable default group tacacs+ enable
>        aaa accounting exec default start-stop group tacacs+
>        aaa accounting commands 0 default start-stop group tacacs+
>        aaa accounting commands 2 default start-stop group tacacs+
>        aaa accounting commands 3 default start-stop group tacacs+
>        aaa accounting commands 4 default start-stop group tacacs+
>        aaa accounting commands 15 default start-stop group tacacs+
>        aaa accounting network default start-stop group tacacs+
>        ...
>        line vty 0 4
>         password 7 XXXXXXXXXXXXXXXXXXXXXXXX
>         login authentication TELNET
>
> If you enter by telnet then first option is tacacs then line (telnet) and last option is enable.
> That's is for login, for enable: tacacs then enable.
>
> If your tacacs fails and you want the router ask for an user/pw you need to define the user
> in the router:
>
>        username noc password 7 XXXXXXXXXXXXXXXXXXXXXXXX
>
> Also you need to specify the commans allowed for the diferent levels, for example:
>
>        privilege exec level 2 clear counters
>        privilege exec level 2 show version
>        privilege exec level 2 show hardware
>
> (also in the your tacacs server: tacacs conf)
>
> Al works for our 2960 routers, hope it helps,
>
> Regards,
>
>        Dario D.
>
> El Martes, 28 de Noviembre de 2006 16:39, Paul Stewart escribió:
> > We are moving towards total Tacacs+ implementation here and many devices
> > are cut over and working fine...
> >
> > My first 2950-T switch came up in the list and I'm having problems
> > getting it to work and not sure why...
> >
> > aaa new-model
> > aaa authentication login default group tacacs+ enable
> > aaa accounting exec default start-stop group tacacs+
> > aaa accounting commands 0 default start-stop group tacacs+
> > aaa accounting commands 2 default start-stop group tacacs+
> > aaa accounting commands 3 default start-stop group tacacs+
> > aaa accounting commands 4 default start-stop group tacacs+
> > aaa accounting commands 15 default start-stop group tacacs+
> > aaa accounting network default start-stop group tacacs+
> > tacacs-server host xxx.xxx.xxx.181 timeout 5
> > tacacs-server key 7 XXXXXXXXXXXXXXXXXXXXXXXX
> >
> > line vty 0 4
> >  password 7 XXXXXXXXXXXXXXXXXXXX
> > line vty 5 10
> >  password 7 XXXXXXXXXXXXXXXXXXXX
> >
> >
> > It won't prompt for username, only for password - and the password it
> > accepts via telnet is the enable password itself.  The password entry on
> > the "line vty 0 4" is not used but without it I cannot login at all...
> >
> > this is the same config I've used on 6500's, GSR's and even 2924
> > switches... trying to figure out what makes the 2950 different...;)
> >
> > Thanks,
> >
> > Paul
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


-- 
"The network is the computer"



More information about the cisco-nsp mailing list