[c-nsp] Cisco ACS tacacs console login fails.
Arne Larsen / Region Nordjylland
arla at rn.dk
Tue May 13 12:46:36 EDT 2008
Hi Folks.
Is there someone that can point me into the right direction.
We are using tacacs on Cisco ACS v 4.1. This works fine when we are accessing the boxes via telnet. It authenticates us and let us directly into privilege mode on the switches and routers. But when we are using the console port it just authenticates, and doesn't let us in at all, even if we try to enable with the enable password.
Here is a test from the log file that let us in via telnet.:
05/13/2008,18:25:11,Authen OK,arla,Admin,10.2.28.45,tty1,10.2.9.221
The next line authenticate us just but doesn't let us directly into the box from the console port.
05/13/2008,18:20:43,Authen OK,arla,Admin,async,tty0,10.2.9.221
When we do enable and type the enable password the tacacs reject us .:
05/13/2008,18:24:02,Authen failed,arla,Admin,async,ACS password invalid,,,tty0,10.2.9.221
What can I have missed to enable off check-boxes in the ACS tacacs setup.
The config off the cisco boxes looks like this
----------------------------------------------------------------------
aaa new-model
aaa authentication login CONSOLE group tacacs+ local
aaa authentication login TELNET group tacacs+
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
line con 0
password 7 1446400509107E32
login authentication CONSOLE
line vty 0 4
access-class 133 in
exec-timeout 60 0
password 7 15435902013E7F3D
login authentication TELNET
/Arne
More information about the cisco-nsp
mailing list