telnet to router with authentication via ACS
hi
could you please tell me how i can configure cisco router 2600 and cisco switch 2900 to be authenticated by ACS server when we try to telnet to the router or to the switch.which mean i need that the person who try to telnet to the router his username and password are authenticated via ACS server.
thanks for your help
could you please tell me how i can configure cisco router 2600 and cisco switch 2900 to be authenticated by ACS server when we try to telnet to the router or to the switch.which mean i need that the person who try to telnet to the router his username and password are authenticated via ACS server.
thanks for your help
ASKER
hi
thank you for your reply
i need to put only these commands:
aaa new-model
aaa authentication login default group tacacs+[none | enable | local]
tacacs-server host <tacacs server ip address>
tacacs-server key <key> <---specify the TACACS+ key
so how it should be apply to vty line?
thanks again for your help
thank you for your reply
i need to put only these commands:
aaa new-model
aaa authentication login default group tacacs+[none | enable | local]
tacacs-server host <tacacs server ip address>
tacacs-server key <key> <---specify the TACACS+ key
so how it should be apply to vty line?
thanks again for your help
The "default" keyword in "aaa authentication login default group tacacs+" tells the router to use TACACS authentication for all logins not specifying a login group. If you want only telnet to use AAA, use the following instead:
aaa new-model
aaa authentication login telnet group tacacs+ [none | enable | local]
tacacs-server host <tacacs server ip address>
tacacs-server key <key>
line vty 0 15
login authentication telnet
aaa new-model
aaa authentication login telnet group tacacs+ [none | enable | local]
tacacs-server host <tacacs server ip address>
tacacs-server key <key>
line vty 0 15
login authentication telnet
ASKER
hi
last question,these command apply for both to routers 2600 and switch 2900?
thanks
last question,these command apply for both to routers 2600 and switch 2900?
thanks
Yes, for sure on the 2600. Is the 2900 switch a 2900XL switch or is it a 2950? If it is a 2950, for sure, if a 2900XL, should be.
ASKER
hi
its switch 2950 so as you said it should be ok.
thank you again
i will not close the question just now and giving you the point untill i do the configuration if i need any more help so the question will be open
thank you again
its switch 2950 so as you said it should be ok.
thank you again
i will not close the question just now and giving you the point untill i do the configuration if i need any more help so the question will be open
thank you again
Sounds good.
ASKER
hi
sorry but its not working,it give me when i telnet to switch after the username and password authentication failed.
what i should do?
thanks
sorry but its not working,it give me when i telnet to switch after the username and password authentication failed.
what i should do?
thanks
Do you have the username and password setup on the ACS server?
ASKER
yes i have any idea?
Can you post your configuration, edit out passwords.
ASKER
hi
i get it working at least but i added mor commands than you gave me
but still one more think i couldn't use my local authentication user password in case the ACS server is not available,what i should do for that?
aaa new-model
aaa authentication login default local
aaa authorization exec local
aaa authorization network local
username poweruser privilege 15 password poweruser
aaa new-model
aaa authentication login default tacacs+
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
tacacs-server host X.X.X.X single
tacacs-server key xxxxx
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs
line vty 0 15
login authentication default
thanks for your help
i get it working at least but i added mor commands than you gave me
but still one more think i couldn't use my local authentication user password in case the ACS server is not available,what i should do for that?
aaa new-model
aaa authentication login default local
aaa authorization exec local
aaa authorization network local
username poweruser privilege 15 password poweruser
aaa new-model
aaa authentication login default tacacs+
aaa authentication ppp default tacacs+
aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+
tacacs-server host X.X.X.X single
tacacs-server key xxxxx
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs
line vty 0 15
login authentication default
thanks for your help
Add local to the end of the AAA command:
aaa authentication login default tacacs+ local
Local username/password authentication will be used if the ACS server is unavailable.
aaa authentication login default tacacs+ local
Local username/password authentication will be used if the ACS server is unavailable.
ASKER
hi again
excuse me but i added aaa authentication login default tacacs+ local to the configuration but still i can't telnet to the switch with poweruser username and password?should i do anything else?
excuse me but i added aaa authentication login default tacacs+ local to the configuration but still i can't telnet to the switch with poweruser username and password?should i do anything else?
Did you try when the ACS server was down? It will only use the poweruser username when the ACS server is unreachable (off the network, turned off).
ASKER
hi
i removed tacacs-server host X.X.X.X single
from the configuration to try it but when i telnet with poweruser username i couldn't
i removed tacacs-server host X.X.X.X single
from the configuration to try it but when i telnet with poweruser username i couldn't
Are you just testing to make sure local authentication works when the ACS server is down?
If so, put the tacacs-server host command back in and stop the ACS service on the server, then try connecting.
If so, put the tacacs-server host command back in and stop the ACS service on the server, then try connecting.
ASKER
i did what yoi said but still not working
did my commands are ok?do i need to add new commands?
did my commands are ok?do i need to add new commands?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For example:
aaa new-model <---enable AAA
aaa authentication login default group tacacs+ [none | enable | local] <---use TACACS+ for login authentication
tacacs-server host <tacacs server ip address> <---specify TACACS+ server to be used
tacacs-server key <key> <---specify the TACACS+ key (needs to match the key on the ACS server)
The [none | enable | local] is used if the TACACS server can not be contacted, i.e. its down and can't provide authentication. Use none to allow login if the TACACS server is down, use enable to use the enable password to authenticate login if the TACACS server is down and use local to use a local username/password on the device to authenticate if the TACACS server is down.