Solved

telnet to router with authentication via ACS

Posted on 2004-10-15
19
628 Views
Last Modified: 2008-01-09
hi

could you please tell me how i can configure cisco router 2600 and cisco switch 2900 to be authenticated by ACS server when we try to telnet to the router or to the switch.which mean i need that the person who try to telnet to the router his username and password are authenticated via ACS server.

thanks for your help
0
Comment
Question by:hanano
  • 10
  • 9
19 Comments
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
You can use AAA with TACACS+ authentication/authorization:

For example:

aaa new-model <---enable AAA
aaa authentication login default group tacacs+ [none | enable | local] <---use TACACS+ for login authentication
tacacs-server host <tacacs server ip address> <---specify TACACS+ server to be used
tacacs-server key <key> <---specify the TACACS+ key (needs to match the key on the ACS server)

The [none | enable | local] is used if the TACACS server can not be contacted, i.e. its down and can't provide authentication.  Use none to allow login if the TACACS server is down, use enable to use the enable password to authenticate login if the TACACS server is down and use local to use a local username/password on the device to authenticate if the TACACS server is down.
0
 
LVL 2

Author Comment

by:hanano
Comment Utility
hi
thank you for your reply
i need to put only these commands:
aaa new-model
aaa authentication login default group tacacs+[none | enable | local]
tacacs-server host <tacacs server ip address>
tacacs-server key <key> <---specify the TACACS+ key

so how it should be apply to vty line?

thanks again for your help
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
The "default" keyword in "aaa authentication login default group tacacs+" tells the router to use TACACS authentication for all logins not specifying a login group.  If you want only telnet to use AAA, use the following instead:

aaa new-model
aaa authentication login telnet group tacacs+ [none | enable | local]
tacacs-server host <tacacs server ip address>
tacacs-server key <key>

line vty 0 15
login authentication telnet
0
 
LVL 2

Author Comment

by:hanano
Comment Utility
hi

last question,these command apply for both to routers 2600 and switch 2900?
thanks
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Yes, for sure on the 2600.  Is the 2900 switch a 2900XL switch or is it a 2950?  If it is a 2950, for sure, if a 2900XL, should be.
0
 
LVL 2

Author Comment

by:hanano
Comment Utility
hi

its switch 2950 so as you said it should be ok.

thank you again
i will not close the question just now and giving you the point untill i do the configuration  if i need any more help so the question will be open

thank you again
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Sounds good.
0
 
LVL 2

Author Comment

by:hanano
Comment Utility
hi

sorry but its not working,it give me when i telnet to switch after the username and password authentication failed.
what i should do?

thanks
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Do you have the username and password setup on the ACS server?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:hanano
Comment Utility
yes i have any idea?
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Can you post your configuration, edit out passwords.
0
 
LVL 2

Author Comment

by:hanano
Comment Utility
hi

i get it working at least but i added mor commands than you gave me
but still one more think i couldn't use my local authentication user password in case the ACS server is not available,what i should do for that?

aaa new-model
aaa authentication login default local
aaa authorization exec local
aaa authorization network local
username poweruser privilege 15 password poweruser

aaa new-model

aaa authentication login default tacacs+
aaa authentication ppp default tacacs+

aaa authorization exec tacacs+
aaa authorization network tacacs+

aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+

tacacs-server host X.X.X.X single
tacacs-server key xxxxx


aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs
line vty 0 15
login authentication default

thanks for your help
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Add local to the end of the AAA command:

aaa authentication login default tacacs+ local

Local username/password authentication will be used if the ACS server is unavailable.


0
 
LVL 2

Author Comment

by:hanano
Comment Utility
hi again
excuse me but i added aaa authentication login default tacacs+ local to the configuration but still i can't telnet to the switch with poweruser username and password?should i do anything else?
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Did you try when the ACS server was down?  It will only use the poweruser username when the ACS server is unreachable (off the network, turned off).
0
 
LVL 2

Author Comment

by:hanano
Comment Utility
hi

i removed tacacs-server host X.X.X.X single
from the configuration to try it but when i telnet with poweruser username i couldn't
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Are you just testing to make sure local authentication works when the ACS server is down?

If so, put the tacacs-server host command back in and stop the ACS service on the server, then try connecting.
0
 
LVL 2

Author Comment

by:hanano
Comment Utility
i did what yoi said but still not working
did my commands are ok?do i need to add new commands?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 250 total points
Comment Utility
The tacacs-server key matches the key on the ACS server, right?

You can enable aaa authentication and tacacs debugging to see what is happening...

debug aaa authentication
debug tacacs

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now