Avatar of techlinden
techlindenFlag for United States of America

asked on 

Cisco tacacs question

I'm configuring a router with our acs.  It's working fine but the fallback method is giving me a login as prompt.   I'm using the line password as fallback.   to test fallback i remove the ip address of the acs and it does work.  but i still get a login as prompt and i can basically put in anything as the username and use the password on the vty line and get in.   i would like to not see the login as prompt and just get a prompt for the password.  i'm probably missing something real simple.  

aaa authentication login default group tacacs+ line


line vty 0 4
 exec-timeout 15 0
 privilege level 15
 password 7 141419031E11267836
 transport input ssh
line vty 5 15
 exec-timeout 15 0
 privilege level 15
 password 7 141419031E11267836
Cisco* AAA* ip

Avatar of undefined
Last Comment
techlinden
ASKER CERTIFIED SOLUTION
Avatar of Harold Bowlin
Harold Bowlin
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of techlinden
techlinden
Flag of United States of America image

ASKER

thanks for the heads up about the pw.  didn't use any main pws.....also not internet facing.     how would i change the AAA authentication so only the line password is asked for instead of the username in the case of a failover?
Avatar of techlinden
techlinden
Flag of United States of America image

ASKER

what's a little weird is that other devices that are on tacacs before i got here have the same config.    I'm just adding some new devices to acs and using the config that's in the other devices.    the other devices when they've lost contact with acs have only prompted for the password that's configured on the vty line and not the username.


aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Avatar of Harold Bowlin
Harold Bowlin
Flag of United States of America image

Correct, when they have lost contact however, have you tried it by removing the IP of the tacacs server?
Avatar of techlinden
techlinden
Flag of United States of America image

ASKER

yeah, just tried that.  what's weird if i lab it in gsn3 it works fine.  i just get the password prompt.   maybe the router just needs to be rebooted.   I'll also try adding another router to acs and see if the results are the same.
Avatar of techlinden
techlinden
Flag of United States of America image

ASKER

I figured it out.    apparently ssh doesn't allow logging in via just a password prompt.   going to change to failback local instead of line.
Cisco
Cisco

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo