We help IT Professionals succeed at work.

Cisco tacacs question

techlinden
techlinden asked
on
131 Views
Last Modified: 2017-04-03
I'm configuring a router with our acs.  It's working fine but the fallback method is giving me a login as prompt.   I'm using the line password as fallback.   to test fallback i remove the ip address of the acs and it does work.  but i still get a login as prompt and i can basically put in anything as the username and use the password on the vty line and get in.   i would like to not see the login as prompt and just get a prompt for the password.  i'm probably missing something real simple.  

aaa authentication login default group tacacs+ line


line vty 0 4
 exec-timeout 15 0
 privilege level 15
 password 7 141419031E11267836
 transport input ssh
line vty 5 15
 exec-timeout 15 0
 privilege level 15
 password 7 141419031E11267836
Comment
Watch Question

Owner/Network Architect
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
thanks for the heads up about the pw.  didn't use any main pws.....also not internet facing.     how would i change the AAA authentication so only the line password is asked for instead of the username in the case of a failover?

Author

Commented:
what's a little weird is that other devices that are on tacacs before i got here have the same config.    I'm just adding some new devices to acs and using the config that's in the other devices.    the other devices when they've lost contact with acs have only prompted for the password that's configured on the vty line and not the username.


aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Harold BowlinOwner/Network Architect
CERTIFIED EXPERT

Commented:
Correct, when they have lost contact however, have you tried it by removing the IP of the tacacs server?

Author

Commented:
yeah, just tried that.  what's weird if i lab it in gsn3 it works fine.  i just get the password prompt.   maybe the router just needs to be rebooted.   I'll also try adding another router to acs and see if the results are the same.

Author

Commented:
I figured it out.    apparently ssh doesn't allow logging in via just a password prompt.   going to change to failback local instead of line.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.