[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 664
  • Last Modified:

telnet to router with authentication via ACS

hi

could you please tell me how i can configure cisco router 2600 and cisco switch 2900 to be authenticated by ACS server when we try to telnet to the router or to the switch.which mean i need that the person who try to telnet to the router his username and password are authenticated via ACS server.

thanks for your help
0
hanano
Asked:
hanano
  • 10
  • 9
1 Solution
 
JFrederick29Commented:
You can use AAA with TACACS+ authentication/authorization:

For example:

aaa new-model <---enable AAA
aaa authentication login default group tacacs+ [none | enable | local] <---use TACACS+ for login authentication
tacacs-server host <tacacs server ip address> <---specify TACACS+ server to be used
tacacs-server key <key> <---specify the TACACS+ key (needs to match the key on the ACS server)

The [none | enable | local] is used if the TACACS server can not be contacted, i.e. its down and can't provide authentication.  Use none to allow login if the TACACS server is down, use enable to use the enable password to authenticate login if the TACACS server is down and use local to use a local username/password on the device to authenticate if the TACACS server is down.
0
 
hananoAuthor Commented:
hi
thank you for your reply
i need to put only these commands:
aaa new-model
aaa authentication login default group tacacs+[none | enable | local]
tacacs-server host <tacacs server ip address>
tacacs-server key <key> <---specify the TACACS+ key

so how it should be apply to vty line?

thanks again for your help
0
 
JFrederick29Commented:
The "default" keyword in "aaa authentication login default group tacacs+" tells the router to use TACACS authentication for all logins not specifying a login group.  If you want only telnet to use AAA, use the following instead:

aaa new-model
aaa authentication login telnet group tacacs+ [none | enable | local]
tacacs-server host <tacacs server ip address>
tacacs-server key <key>

line vty 0 15
login authentication telnet
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
hananoAuthor Commented:
hi

last question,these command apply for both to routers 2600 and switch 2900?
thanks
0
 
JFrederick29Commented:
Yes, for sure on the 2600.  Is the 2900 switch a 2900XL switch or is it a 2950?  If it is a 2950, for sure, if a 2900XL, should be.
0
 
hananoAuthor Commented:
hi

its switch 2950 so as you said it should be ok.

thank you again
i will not close the question just now and giving you the point untill i do the configuration  if i need any more help so the question will be open

thank you again
0
 
JFrederick29Commented:
Sounds good.
0
 
hananoAuthor Commented:
hi

sorry but its not working,it give me when i telnet to switch after the username and password authentication failed.
what i should do?

thanks
0
 
JFrederick29Commented:
Do you have the username and password setup on the ACS server?
0
 
hananoAuthor Commented:
yes i have any idea?
0
 
JFrederick29Commented:
Can you post your configuration, edit out passwords.
0
 
hananoAuthor Commented:
hi

i get it working at least but i added mor commands than you gave me
but still one more think i couldn't use my local authentication user password in case the ACS server is not available,what i should do for that?

aaa new-model
aaa authentication login default local
aaa authorization exec local
aaa authorization network local
username poweruser privilege 15 password poweruser

aaa new-model

aaa authentication login default tacacs+
aaa authentication ppp default tacacs+

aaa authorization exec tacacs+
aaa authorization network tacacs+

aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+

tacacs-server host X.X.X.X single
tacacs-server key xxxxx


aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs
line vty 0 15
login authentication default

thanks for your help
0
 
JFrederick29Commented:
Add local to the end of the AAA command:

aaa authentication login default tacacs+ local

Local username/password authentication will be used if the ACS server is unavailable.


0
 
hananoAuthor Commented:
hi again
excuse me but i added aaa authentication login default tacacs+ local to the configuration but still i can't telnet to the switch with poweruser username and password?should i do anything else?
0
 
JFrederick29Commented:
Did you try when the ACS server was down?  It will only use the poweruser username when the ACS server is unreachable (off the network, turned off).
0
 
hananoAuthor Commented:
hi

i removed tacacs-server host X.X.X.X single
from the configuration to try it but when i telnet with poweruser username i couldn't
0
 
JFrederick29Commented:
Are you just testing to make sure local authentication works when the ACS server is down?

If so, put the tacacs-server host command back in and stop the ACS service on the server, then try connecting.
0
 
hananoAuthor Commented:
i did what yoi said but still not working
did my commands are ok?do i need to add new commands?
0
 
JFrederick29Commented:
The tacacs-server key matches the key on the ACS server, right?

You can enable aaa authentication and tacacs debugging to see what is happening...

debug aaa authentication
debug tacacs

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 10
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now