Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2813
Views
0
Helpful
3
Replies

aaa authentication banner

Go to solution
andrew.burns
Level 1
Level 1

‎11-26-2002 04:02 AM - edited ‎02-21-2020 10:05 AM

I have configured both aaa authentication banner and aaa fail-message on a router running 12.1(15) - authentication is via ACS 3.0.2 which works great.

Problem - The authentication banner doesn't display (nothing does apart from "Username:" - not even "user access verification") but the fail-message does if you enter a wrong password. If I console in and disconnect the interface then both messages display fine.

Workaround - If I configure a "banner login" then it all works fine too but I can't work out why the "aaa authentication banner" doesn't display.

I suspect ACS is stopping the message from being displayed but I can't work out how - can anyone suggest a solution?

many thanks!

As an aside what does the "tacacs-server administration" command do? It doesn't seem to be documented and it has no effect on or off.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎11-26-2002 02:48 PM

The banner command doesn't work if you're doing TACACS authentication, it will work if you're doing Radius/local/etc. This is by design, cause with Tacacs you can have the server send the banner and prompts down (although with ACS I don't think you can do it), and so if you have TACACS authentication configured the router ignores the banner command and waits to see if it gets one from the TACACS server itself. If it doesn't it'll just display the usual prompts.

As for the "tacacs-server admin" command, I honestly have no idea, never seen anyone use it. The on-line help says "start tacacs daemon handling administrative messages", but what that really does I don't know, maybe someone else can help.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎11-26-2002 02:48 PM

The banner command doesn't work if you're doing TACACS authentication, it will work if you're doing Radius/local/etc. This is by design, cause with Tacacs you can have the server send the banner and prompts down (although with ACS I don't think you can do it), and so if you have TACACS authentication configured the router ignores the banner command and waits to see if it gets one from the TACACS server itself. If it doesn't it'll just display the usual prompts.

As for the "tacacs-server admin" command, I honestly have no idea, never seen anyone use it. The on-line help says "start tacacs daemon handling administrative messages", but what that really does I don't know, maybe someone else can help.

0 Helpful

Go to solution
4brown
Level 1
Level 1
In response to gfullage

‎11-26-2002 03:20 PM

Hmm..I think I remember using the "tacacs-server admin" command in Wholesale Dial environments for the Resource Management Protocol used between the RPMS server and the NAS for heartbeat and audit checks.

0 Helpful

Go to solution
andrew.burns
Level 1
Level 1
In response to gfullage

‎11-27-2002 01:53 AM

As I suspected - but I didn't realise it was by design - and I'm surprised that ACS can't handle the banners. But thanks for the quick response!

0 Helpful
Customers Also Viewed These Support Documents