[c-nsp] AAA on IOS-XR (NCS540)

Scott Miller fordlove at gmail.com
Thu Dec 3 13:52:10 EST 2020 

Do you have the control-plane set up?

tacacs source-interface Loopback100 vrf default
tacacs-server host 11.11.11.11 port 49
 key 7 xxxxxxxxxxxxxxxxxxxxxxxx
!
tacacs-server host 22.22.22.22 port 49
 key 7 xxxxxxxxxxxxxxxxxxxxxxxx
!

aaa accounting exec default start-stop group acs-tacacs
aaa accounting system default start-stop group acs-tacacs
aaa accounting commands default start-stop group acs-tacacs
aaa group server tacacs+ acs-tacacs
 server 11.11.11.11
 server 22.22.22.22
!
aaa authorization exec default group acs-tacacs local
aaa authorization commands default group acs-tacacs none
aaa authentication login default group acs-tacacs local

line console
 exec-timeout 10 0
!
line default
 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
 exec-timeout 30 0
 session-timeout 30
 transport input ssh
!
vty-pool default 0 20

control-plane
 management-plane
  inband
   interface all
    allow all peer
     address ipv4 11.12.12.12
     address ipv4 11.13.13.13
     address ipv4 11.14.14.14




On Thu, Dec 3, 2020 at 11:33 AM Eric Van Tol <eric at atlantech.net> wrote:

> Hi all,
> I’m going nuts here trying to get my AAA set up on an NCS. The goal is to
> authenticate against TACACS on VTY lines but either use the local user
> database or line/enable for console access and I cannot get it right.
> Sometimes my VTY authentication fails the first time and it requires you to
> put in your password a second time, even though the TACACS servers are
> definitely available. I cannot get console access to work properly at all.
> I’m running XR 7.1.1. Here’s the aaa portion of the config:
>
> tacacs source-interface Loopback1 vrf default
> tacacs-server host 192.168.45.126 port 49
> key 7 ******
> single-connection
> !
> tacacs-server host 192.168.46.126 port 49
> key 7 ******
> timeout 3
> single-connection
> !
> username admin
> group root-lr
> group cisco-support
> secret 10  $secretpass
> !
> aaa group server tacacs+ TACACS
> server 192.168.45.126
> server 192.168.46.126
> !
> aaa authorization exec CONSOLE local
> aaa authorization exec default group TACACS local
> aaa authentication login CONSOLE local line
> aaa authentication login default group TACACS line!
> !
> line console
> password 7 ******
> authorization exec CONSOLE
> login authentication CONSOLE
> !
> line default
> password 7 ******
> timeout login response 30
> authorization exec default
> login authentication default
> exec-timeout 0 0
> access-class ingress access-protect
> session-timeout 120
> transport input ssh
> !
>
> I’ve tried different permutations of the line console config and can’t get
> the right combination. Can someone point me in the right direction here?
>
> Thanks in advance,
> evt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list