[c-nsp] AAA on IOS-XR (NCS540)
Aaron
dudepron at gmail.com
Thu Dec 3 14:17:18 EST 2020
This isn't at typo is it?
aaa authentication login default group TACACS line!
should it be
aaa authentication login default group TACACS line <<< no !
On Thu, Dec 3, 2020 at 2:13 PM Eric Van Tol <eric at atlantech.net> wrote:
> No, all I have is:
>
> control-plane
> management-plane
> inband
> interface TenGigE0/0/0/27
> allow all
> !
> interface TenGigE0/0/0/23.1550
> allow all
> !
> interface TenGigE0/0/0/25.1550
> allow all
> !
> !
>
> What exactly does this do? I mean, I have an inkling, but I wouldn’t
> expect TACACS to work at all if I was missing a config to allow it to
> respond to the router.
>
> From: Scott Miller <fordlove at gmail.com>
> Date: Thursday, December 3, 2020 at 1:52 PM
> To: Eric Van Tol <eric at atlantech.net>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] AAA on IOS-XR (NCS540)
>
>
> EXTERNAL - Do not click links or open attachments from an unverified
> source/sender.
> Do you have the control-plane set up?
>
> tacacs source-interface Loopback100 vrf default
> tacacs-server host 11.11.11.11 port 49
> key 7 xxxxxxxxxxxxxxxxxxxxxxxx
> !
> tacacs-server host 22.22.22.22 port 49
> key 7 xxxxxxxxxxxxxxxxxxxxxxxx
> !
>
> aaa accounting exec default start-stop group acs-tacacs
> aaa accounting system default start-stop group acs-tacacs
> aaa accounting commands default start-stop group acs-tacacs
> aaa group server tacacs+ acs-tacacs
> server 11.11.11.11
> server 22.22.22.22
> !
> aaa authorization exec default group acs-tacacs local
> aaa authorization commands default group acs-tacacs none
> aaa authentication login default group acs-tacacs local
>
> line console
> exec-timeout 10 0
> !
> line default
> password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> exec-timeout 30 0
> session-timeout 30
> transport input ssh
> !
> vty-pool default 0 20
>
> control-plane
> management-plane
> inband
> interface all
> allow all peer
> address ipv4 11.12.12.12
> address ipv4 11.13.13.13
> address ipv4 11.14.14.14
>
>
>
> On Thu, Dec 3, 2020 at 11:33 AM Eric Van Tol <eric at atlantech.net<mailto:
> eric at atlantech.net>> wrote:
> Hi all,
> I’m going nuts here trying to get my AAA set up on an NCS. The goal is to
> authenticate against TACACS on VTY lines but either use the local user
> database or line/enable for console access and I cannot get it right.
> Sometimes my VTY authentication fails the first time and it requires you to
> put in your password a second time, even though the TACACS servers are
> definitely available. I cannot get console access to work properly at all.
> I’m running XR 7.1.1. Here’s the aaa portion of the config:
>
> tacacs source-interface Loopback1 vrf default
> tacacs-server host 192.168.45.126 port 49
> key 7 ******
> single-connection
> !
> tacacs-server host 192.168.46.126 port 49
> key 7 ******
> timeout 3
> single-connection
> !
> username admin
> group root-lr
> group cisco-support
> secret 10 $secretpass
> !
> aaa group server tacacs+ TACACS
> server 192.168.45.126
> server 192.168.46.126
> !
> aaa authorization exec CONSOLE local
> aaa authorization exec default group TACACS local
> aaa authentication login CONSOLE local line
> aaa authentication login default group TACACS line!
> !
> line console
> password 7 ******
> authorization exec CONSOLE
> login authentication CONSOLE
> !
> line default
> password 7 ******
> timeout login response 30
> authorization exec default
> login authentication default
> exec-timeout 0 0
> access-class ingress access-protect
> session-timeout 120
> transport input ssh
> !
>
> I’ve tried different permutations of the line console config and can’t get
> the right combination. Can someone point me in the right direction here?
>
> Thanks in advance,
> evt
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:
> cisco-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list