[c-nsp] Cisco ACS tacacs console login fails.

Ramcharan, Vijay A vijay.ramcharan at verizonbusiness.com
Wed May 14 17:44:28 EDT 2008


Just a hunch, 
Have you tried going into enable mode with your TACACS password?  

I see you have specified this:
aaa authentication enable default group tacacs+ enable 

which probably indicates the device is looking to TAC+ for the enable
password. Your log message also indicates "ACS password invalid" so it
appears that may be the case.
 
Vijay Ramcharan  

  
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen /
Region Nordjylland
Sent: May 13, 2008 12:47
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco ACS tacacs console login fails.

Hi Folks.

Is there someone that can point me into the right direction.
We are using tacacs on Cisco ACS v 4.1. This works fine when we are
accessing the boxes via telnet. It authenticates us and let us directly
into privilege mode on the switches and routers. But when we are using
the console port it just authenticates, and doesn't let us  in at all,
even if we try to enable with the enable password.
Here is a test from the log file that let us in via telnet.:
05/13/2008,18:25:11,Authen OK,arla,Admin,10.2.28.45,tty1,10.2.9.221
The next line authenticate us just but doesn't let us directly into the
box from the console port.
05/13/2008,18:20:43,Authen OK,arla,Admin,async,tty0,10.2.9.221
When we do enable and type the enable password the tacacs reject us .:
05/13/2008,18:24:02,Authen failed,arla,Admin,async,ACS password
invalid,,,tty0,10.2.9.221
What can I have missed to enable off check-boxes in the ACS tacacs
setup.


The config off the cisco boxes looks like this
----------------------------------------------------------------------
aaa new-model
aaa authentication login CONSOLE group tacacs+ local
aaa authentication login TELNET group tacacs+
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

line con 0
 password 7 1446400509107E32
 login authentication CONSOLE
line vty 0 4
 access-class 133 in
 exec-timeout 60 0
 password 7 15435902013E7F3D
 login authentication TELNET

/Arne

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list