topic Re: How to eliminate a double login from acs? in Network Access Control

How to eliminate a double login from acs?

jawill47ec — Mon, 11 Mar 2019 00:44:59 GMT

Hello,

When using a cisco 2811 for terminal server connectivity, I am receiving tacacs login and password prompts twice:

1) First from the Cisco 2811 terminal server

2) Secondly from the console connected device which is also configured for tacacs.

Is it possible to eliminate the tacacs login and password prompt that is generated from the Cisco terminal server?

Re: How to eliminate a double login from acs?

andamani — Tue, 25 Jan 2011 06:34:27 GMT

hi,

Please share the configuration of the router.

you will have a configuration as follows or something similar:

aaa authentication login default group tacacs local.

Just put a "no " in front of this configuration. i.e. you need to do the following:

no aaa authentication login default group tacacs local.

this will disable the prompt of authentication on the router.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post answered if you feel your query is answered.

Re: How to eliminate a double login from acs?

jawill47ec — Tue, 25 Jan 2011 13:30:09 GMT

Anisha,

Thanks for your post. Here are the aaa statements:

aaa new-model
aaa authentication login default group tacacs+ line enable

aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated

tacacs-server host 1.1.1.1

To add additional information;

1) I want to keep the tacacs authentication when connecting to the Cisco 2811 terminal server via vty.

2) I want to eliminate the tacacs authentication when using any async connection from the terminal server to a given Cisco device (router, switch, etc..)

(e.g. async 0/0/0 - 0/0/15). This is where I am experiencing a tacacs authentication in attempting a connection to another Cisco devices console port. I know the tacacs authentication is coming from the terminal server, because I have tested with Cisco switches that have no configuration on them.

thanks,

james

Re: How to eliminate a double login from acs?

andamani — Tue, 25 Jan 2011 13:57:00 GMT

Hi James,

Got it ...

Try this:

no aaa authentication login default group tacacs+ line enable

aaa authentication login TEST group tacacs+ line enable

line vty 0 4

line vty 5 15

Let me know how it goes.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is answered.

Re: How to eliminate a double login from acs?

jawill47ec — Tue, 25 Jan 2011 17:03:38 GMT

Anisha,

Thanks again for your response. I performed the (2) actions from your post:

1) I removed the login default and replaced with login TEST

2) Updated line vty for 0 - 15 and applied login authentication test statement

No success. The same scenario is continuing. The tacacs login is still happening upon selecting any of the async lines (0/0/0 - 0/0/15).

thanks,

james

Re: How to eliminate a double login from acs?

andamani — Wed, 26 Jan 2011 02:22:45 GMT

Hi,

Sorry my bad.. the login authentication method-list is case sensitive.

Try

Let me know how it goes.

Regards,

Anisha

Re: How to eliminate a double login from acs?

jawill47ec — Wed, 26 Jan 2011 13:56:11 GMT

Anisha,

I used the same case for the method list. IOS gave a warning message when I attempted in using two different cases.

thanks,

james

Re: How to eliminate a double login from acs?

m.kafka — Fri, 28 Jan 2011 05:40:24 GMT

Hi James,

If I understood you correctly you have two authentication requests: one generated by the terminal server and the second from the console of the device connected to the async line.

My remote access days are long long gone but I remember a quite dirty hack...

try to ignore vty authentication and focus on the async lines

if i'm not mistaken the default setting for lines in "aaa new model" mode is "authentication login default" and is hidden from the config because it's the default. At least the documentation says so:

This command is a per-line command used with AAA that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line).

Caution If you use a list-name value that was not configured with the aaa authentication login command, you will disable login on this line.

Entering the no version of login authentication has the same effect as entering the command with the default keyword.

Before issuing this command, create a list of authentication processes by using the global configuration aaa authentication login command.

even if you remove the aaa authentication list "default" it will not remove the aaa command from the async line. it is still there and hidden because it's default.

create a specific aaa authentication list for no aaa:

aaa authentication login NO_AAA none

and apply it to the async lines

line async 0/0/something

no exec

transport input telnet

if that doesn't help, what's the detailed debug aaa authentication output? which part is generating the aaa request based on what?

Hopefully that's a pointer... I have no router to test with

Rgds, MiKa

PS: if you are "desperate" give it a try with rotary groups, I'm not sure whether connections to rotary groups are governed by vty aaa settings, i couldn't find any reference to that in the documentation.

put the async 0/0/1 in rotary 1 and connect to port 3001

put the async 0/0/2 in rotary 2 and connect to port 3002 ect...

PPS: if you are in the mood for playing around, IOS has the feature to access async lines in a reverse telneet fashion also via ssh

Re: How to eliminate a double login from acs?

jawill47ec — Fri, 28 Jan 2011 21:30:06 GMT

Mika,

Thanks for the post. In trying the NO_AAA authentication list, it did not work. By adding the following;

aaa authentication login NO_AAA none

line 0/2/0 0/2/15
session-timeout 20
exec-timeout 45 0
login authentication NO_AAA
no exec
transport input telnet

I turned on AAA authentication debugging and continue to see the default list being used.

AAA/BIND(00000124): Bind i/f Async0/2/0

AAA/AUTHEN/LOGIN (00000124): Pick method list 'default'

Basically the NO_AAA authentication list is being ignored.

I haven't looked at your other 2 suggestions but will do so and post back.

thanks,

james

Re: How to eliminate a double login from acs?

m.kafka — Mon, 31 Jan 2011 11:23:03 GMT

Hi James,

I see the following:

 AAA/BIND(00000124): Bind i/f Async0/2/0
AAA/AUTHEN/LOGIN (00000124): Pick method list 'default'
Basically the NO_AAA authentication list is being ignored.

did you apply the config to the line or to the interface? Asyncs have a sort of "dualism": interface async and the corresponding line

and honestly, my async/remote access days are really long ago, but maybe you should apply the NO_AAA to the async?

rgds,

mika

Re: How to eliminate a double login from acs?

jawill47ec — Mon, 31 Jan 2011 13:35:36 GMT

Mika,

I applied the the NO_AAA list to the line. The async interface does not have an option for login.

All L options are:

l2-filter

llc2

load-interval

logging

loopback

The above is from IOS version 12.4. I also looked for AAA commands but didn't see any;

access-expression

arp

async (sub commands are default, dynamic and mode)

autodetect.

Thanks for the reply.

james

Re: How to eliminate a double login from acs?

m.kafka — Mon, 31 Jan 2011 14:46:32 GMT

james,

what is the exact configuration of the lines?

did you really enter:

line 0/2/0 0/2/15

according to what I remember and the command description it should be:

line [tty] [start] [end] where start and end are integer numbers. you can verify the correct line number with "show line"

what is your output for show run | begin line

i have the feeling that somehow your config didn't reach the correct line

Re: How to eliminate a double login from acs?

jawill47ec — Mon, 31 Jan 2011 15:18:39 GMT

Hello,

Got it. Applying the login for NO_AAA under the tty lines, 34 - 49 eliminated the login. Thank you for all your time and knowledge. I appreciate it.

thanks,

james

Re: How to eliminate a double login from acs?

m.kafka — Mon, 31 Jan 2011 21:06:01 GMT

glad to help

MiKa

Re: How to eliminate a double login from acs?

markyd68a — Tue, 30 Mar 2021 15:11:53 GMT

Yes this worked for me too on a 2600 Terminal Server I just built, the double logon was annoying but now solved ... many thanks to those on this thread!

aaa authentication login default local
aaa authentication login NO_AAA_TSR none

line 33 48
exec-timeout 0 0
login authentication NO_AAA_TSR
no exec
transport input telnet