[c-nsp] AAA on IOS-XR (NCS540)
Eric Van Tol
eric at atlantech.net
Thu Dec 3 13:29:01 EST 2020
Hi all,
I’m going nuts here trying to get my AAA set up on an NCS. The goal is to authenticate against TACACS on VTY lines but either use the local user database or line/enable for console access and I cannot get it right. Sometimes my VTY authentication fails the first time and it requires you to put in your password a second time, even though the TACACS servers are definitely available. I cannot get console access to work properly at all. I’m running XR 7.1.1. Here’s the aaa portion of the config:
tacacs source-interface Loopback1 vrf default
tacacs-server host 192.168.45.126 port 49
key 7 ******
single-connection
!
tacacs-server host 192.168.46.126 port 49
key 7 ******
timeout 3
single-connection
!
username admin
group root-lr
group cisco-support
secret 10 $secretpass
!
aaa group server tacacs+ TACACS
server 192.168.45.126
server 192.168.46.126
!
aaa authorization exec CONSOLE local
aaa authorization exec default group TACACS local
aaa authentication login CONSOLE local line
aaa authentication login default group TACACS line!
!
line console
password 7 ******
authorization exec CONSOLE
login authentication CONSOLE
!
line default
password 7 ******
timeout login response 30
authorization exec default
login authentication default
exec-timeout 0 0
access-class ingress access-protect
session-timeout 120
transport input ssh
!
I’ve tried different permutations of the line console config and can’t get the right combination. Can someone point me in the right direction here?
Thanks in advance,
evt
More information about the cisco-nsp
mailing list