[c-nsp] Catalyst 2960G & Tacacs
Fred Reimer
freimer at ctiusa.com
Mon May 19 23:20:45 EDT 2008
Why are you using a timeout of 1 second for your TACACS+ server? That's
awfully short, especially if you use two-factor authentication or a punt
from ACS to an external database. If anything I've had to increase the
timeout from the default. Your authorization command doesn't look right
either. You would obviously also need to define some local username(s) with
appropriate privilege levels and (hopefully) a secret in order for "local"
fallback to work. You can't fallback to local if you have no local
usernames... If authentication to the ACS isn't working, check the ACS
failure logs, and also do some debugs on the router/switch. You can setup
buffered logging, unplug your connection to your ACS, do your test, then
plug back in to get the detailed messages in the log on why AAA is failing.
HTH,
Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of DAVID Sébastien
> Sent: Monday, May 19, 2008 12:09 PM
> To: A.L.M.Buxey at lboro.ac.uk
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Catalyst 2960G & Tacacs
>
> Thanks for help,
>
> But my configuration is OK with cisco 2950 only with 2960 I have a
> problem. This is my configuration aaa :
>
> aaa authentication login telnet group tacacs+ local
> aaa authentication login console group tacacs+ local
> aaa authentication enable default group tacacs+ enable
> aaa authorization commands 1 default group tacacs+ if-authenticated
> aaa authorization commands 15 default group tacacs+ if-authenticated
> aaa authorization exec default if-authenticated
> aaa authorization config-commands
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 1 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting connection default start-stop group tacacs+
> aaa accounting system default start-stop group tacacs+
>
>
> tacacs-server host x.x.x.x timeout 1
>
> line console 0
> login authentication console
> line vty 0 4
> logging synchronous
> login authentication telnet
> transport input ssh
>
> -----Message d'origine-----
> De : A.L.M.Buxey at lboro.ac.uk [mailto:A.L.M.Buxey at lboro.ac.uk]
> Envoyé : lundi 19 mai 2008 18:05
> À : DAVID Sébastien
> Cc : cisco-nsp at puck.nether.net
> Objet : Re: [c-nsp] Catalyst 2960G & Tacacs
>
> Hi,
> > HI,
> >
> >
> >
> > I met some difficulties to set up my switch 2960G with tacacs. I have
> configured a username in local and set an authentification list as
> follow :
>
> you need to configure the groups for it to use local if server fails.
>
> eg
>
> aaa authentication login default group tacacs+ enable
> aaa authentication enable default group tacacs+ enable
> aaa authorization exec default group tacacs+ if-authenticated
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 1 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
>
> tacacs-server host 192.168.1.0
> tacacs-server host 192.168.0.255
> tacacs-server key 7 <crackable secret>
>
>
> alan
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080519/19c91815/attachment.bin
More information about the cisco-nsp
mailing list