Solved

telnet to router with authentication via ACS

Posted on 2004-10-15
19
637 Views
Last Modified: 2008-01-09
hi

could you please tell me how i can configure cisco router 2600 and cisco switch 2900 to be authenticated by ACS server when we try to telnet to the router or to the switch.which mean i need that the person who try to telnet to the router his username and password are authenticated via ACS server.

thanks for your help
0
Comment
Question by:hanano
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
19 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12318351
You can use AAA with TACACS+ authentication/authorization:

For example:

aaa new-model <---enable AAA
aaa authentication login default group tacacs+ [none | enable | local] <---use TACACS+ for login authentication
tacacs-server host <tacacs server ip address> <---specify TACACS+ server to be used
tacacs-server key <key> <---specify the TACACS+ key (needs to match the key on the ACS server)

The [none | enable | local] is used if the TACACS server can not be contacted, i.e. its down and can't provide authentication.  Use none to allow login if the TACACS server is down, use enable to use the enable password to authenticate login if the TACACS server is down and use local to use a local username/password on the device to authenticate if the TACACS server is down.
0
 
LVL 2

Author Comment

by:hanano
ID: 12318471
hi
thank you for your reply
i need to put only these commands:
aaa new-model
aaa authentication login default group tacacs+[none | enable | local]
tacacs-server host <tacacs server ip address>
tacacs-server key <key> <---specify the TACACS+ key

so how it should be apply to vty line?

thanks again for your help
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12318535
The "default" keyword in "aaa authentication login default group tacacs+" tells the router to use TACACS authentication for all logins not specifying a login group.  If you want only telnet to use AAA, use the following instead:

aaa new-model
aaa authentication login telnet group tacacs+ [none | enable | local]
tacacs-server host <tacacs server ip address>
tacacs-server key <key>

line vty 0 15
login authentication telnet
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 2

Author Comment

by:hanano
ID: 12319137
hi

last question,these command apply for both to routers 2600 and switch 2900?
thanks
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12319236
Yes, for sure on the 2600.  Is the 2900 switch a 2900XL switch or is it a 2950?  If it is a 2950, for sure, if a 2900XL, should be.
0
 
LVL 2

Author Comment

by:hanano
ID: 12319964
hi

its switch 2950 so as you said it should be ok.

thank you again
i will not close the question just now and giving you the point untill i do the configuration  if i need any more help so the question will be open

thank you again
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12320276
Sounds good.
0
 
LVL 2

Author Comment

by:hanano
ID: 12327101
hi

sorry but its not working,it give me when i telnet to switch after the username and password authentication failed.
what i should do?

thanks
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12330612
Do you have the username and password setup on the ACS server?
0
 
LVL 2

Author Comment

by:hanano
ID: 12331384
yes i have any idea?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12337311
Can you post your configuration, edit out passwords.
0
 
LVL 2

Author Comment

by:hanano
ID: 12337860
hi

i get it working at least but i added mor commands than you gave me
but still one more think i couldn't use my local authentication user password in case the ACS server is not available,what i should do for that?

aaa new-model
aaa authentication login default local
aaa authorization exec local
aaa authorization network local
username poweruser privilege 15 password poweruser

aaa new-model

aaa authentication login default tacacs+
aaa authentication ppp default tacacs+

aaa authorization exec tacacs+
aaa authorization network tacacs+

aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+

tacacs-server host X.X.X.X single
tacacs-server key xxxxx


aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs
line vty 0 15
login authentication default

thanks for your help
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12337897
Add local to the end of the AAA command:

aaa authentication login default tacacs+ local

Local username/password authentication will be used if the ACS server is unavailable.


0
 
LVL 2

Author Comment

by:hanano
ID: 12338034
hi again
excuse me but i added aaa authentication login default tacacs+ local to the configuration but still i can't telnet to the switch with poweruser username and password?should i do anything else?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12338281
Did you try when the ACS server was down?  It will only use the poweruser username when the ACS server is unreachable (off the network, turned off).
0
 
LVL 2

Author Comment

by:hanano
ID: 12338308
hi

i removed tacacs-server host X.X.X.X single
from the configuration to try it but when i telnet with poweruser username i couldn't
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12338331
Are you just testing to make sure local authentication works when the ACS server is down?

If so, put the tacacs-server host command back in and stop the ACS service on the server, then try connecting.
0
 
LVL 2

Author Comment

by:hanano
ID: 12338687
i did what yoi said but still not working
did my commands are ok?do i need to add new commands?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 250 total points
ID: 12338770
The tacacs-server key matches the key on the ACS server, right?

You can enable aaa authentication and tacacs debugging to see what is happening...

debug aaa authentication
debug tacacs

0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question