https://community.cisco.com/t5/network-access-control/aaa-problem-via-terminal-server/m-p/4520590#M571788 <P>Hi</P><P>I have the following AAA config and this works fine with and without the TACACS server (Cisco ISE 2.6 Device Admin). My problem seems to be with the few devices we have connected to a terminal server. Can reach the target router through the terminal server and get the router&gt; prompt. Attempt to enter exec mode and no matter what password I use , tacacs, line, enable all are rejected as unauthorised. If I console directly onto the device I can enter the line and enable password and there is no issue. Any idea - I have attempted to debug TACACS and AAA authenticate and authorise but unable to see the issue. Tried comparing the ISE logs for direct and terminal server access and again nothing obvious.</P><P>&nbsp;</P><P>aaa new-model<BR />!<BR />!<BR />aaa group server tacacs+ TACACS_GROUP<BR />server name TACACS_SERVER_1<BR />ip vrf forwarding Mgmt-intf<BR />ip tacacs source-interface GigabitEthernet0<BR />!<BR />aaa authentication login default group TACACS_GROUP line<BR />aaa authentication login no_tacacs enable<BR />aaa authentication enable default group TACACS_GROUP enable<BR />aaa authorization exec default group TACACS_GROUP if-authenticated<BR />aaa authorization commands 1 default group TACACS_GROUP none<BR />aaa authorization commands 15 default group TACACS_GROUP none<BR />aaa accounting exec default start-stop group TACACS_GROUP<BR />aaa accounting commands 1 default start-stop group TACACS_GROUP<BR />aaa accounting commands 15 default start-stop group TACACS_GROUP<BR />aaa accounting connection default start-stop group TACACS_GROUP<BR />aaa accounting system default start-stop group TACACS_GROUP</P> Fri, 17 Dec 2021 15:12:49 GMT russell.sage 2021-12-17T15:12:49Z https://community.cisco.com/t5/network-access-control/aaa-problem-via-terminal-server/m-p/4520590#M571788 <P>Hi</P><P>I have the following AAA config and this works fine with and without the TACACS server (Cisco ISE 2.6 Device Admin). My problem seems to be with the few devices we have connected to a terminal server. Can reach the target router through the terminal server and get the router&gt; prompt. Attempt to enter exec mode and no matter what password I use , tacacs, line, enable all are rejected as unauthorised. If I console directly onto the device I can enter the line and enable password and there is no issue. Any idea - I have attempted to debug TACACS and AAA authenticate and authorise but unable to see the issue. Tried comparing the ISE logs for direct and terminal server access and again nothing obvious.</P><P>&nbsp;</P><P>aaa new-model<BR />!<BR />!<BR />aaa group server tacacs+ TACACS_GROUP<BR />server name TACACS_SERVER_1<BR />ip vrf forwarding Mgmt-intf<BR />ip tacacs source-interface GigabitEthernet0<BR />!<BR />aaa authentication login default group TACACS_GROUP line<BR />aaa authentication login no_tacacs enable<BR />aaa authentication enable default group TACACS_GROUP enable<BR />aaa authorization exec default group TACACS_GROUP if-authenticated<BR />aaa authorization commands 1 default group TACACS_GROUP none<BR />aaa authorization commands 15 default group TACACS_GROUP none<BR />aaa accounting exec default start-stop group TACACS_GROUP<BR />aaa accounting commands 1 default start-stop group TACACS_GROUP<BR />aaa accounting commands 15 default start-stop group TACACS_GROUP<BR />aaa accounting connection default start-stop group TACACS_GROUP<BR />aaa accounting system default start-stop group TACACS_GROUP</P> Fri, 17 Dec 2021 15:12:49 GMT https://community.cisco.com/t5/network-access-control/aaa-problem-via-terminal-server/m-p/4520590#M571788 russell.sage 2021-12-17T15:12:49Z https://community.cisco.com/t5/network-access-control/aaa-problem-via-terminal-server/m-p/4520773#M571796 <P>Interesting. I would also not expect any difference in behaviour between an async connection (reverse telnet to terminal server to reach the console port), or plugging directly into the console port.&nbsp; You are 100% sure you did a reverse telnet to the correct device? Async cables and their numbering can often be confusing (offset 2000 + line number)</P> <P>&nbsp;</P> <P>Have you configured anything on the line con 0?</P> <P>&nbsp;</P> <P>Can you share your:</P> <PRE>show run | section line</PRE> Fri, 17 Dec 2021 21:05:42 GMT https://community.cisco.com/t5/network-access-control/aaa-problem-via-terminal-server/m-p/4520773#M571796 Arne Bier 2021-12-17T21:05:42Z https://community.cisco.com/t5/network-access-control/aaa-problem-via-terminal-server/m-p/4526226#M572027 <P>Apologies for the delayed response. I was on leave</P><P>&nbsp;</P><P>line con 0<BR />exec-timeout 5 0<BR />password ********************************<BR />escape-character 3<BR />stopbits 1<BR />line aux 0<BR />stopbits 1<BR />line vty 0 4<BR />access-class Secured_Remote_Access in vrf-also<BR />exec-timeout 5 0<BR />password **************************************<BR />logging synchronous<BR />length 0<BR />transport input ssh<BR />escape-character 3<BR />line vty 5 15<BR />access-class Secured_Remote_Access in vrf-also<BR />exec-timeout 5 0<BR />password **************************************<BR />logging synchronous<BR />transport input all<BR />escape-character 3</P> Tue, 04 Jan 2022 08:04:54 GMT https://community.cisco.com/t5/network-access-control/aaa-problem-via-terminal-server/m-p/4526226#M572027 russell.sage 2022-01-04T08:04:54Z