11-26-2002 04:02 AM - edited 02-21-2020 10:05 AM
I have configured both aaa authentication banner and aaa fail-message on a router running 12.1(15) - authentication is via ACS 3.0.2 which works great.
Problem - The authentication banner doesn't display (nothing does apart from "Username:" - not even "user access verification") but the fail-message does if you enter a wrong password. If I console in and disconnect the interface then both messages display fine.
Workaround - If I configure a "banner login" then it all works fine too but I can't work out why the "aaa authentication banner" doesn't display.
I suspect ACS is stopping the message from being displayed but I can't work out how - can anyone suggest a solution?
many thanks!
As an aside what does the "tacacs-server administration" command do? It doesn't seem to be documented and it has no effect on or off.
Solved! Go to Solution.
11-26-2002 02:48 PM
The banner command doesn't work if you're doing TACACS authentication, it will work if you're doing Radius/local/etc. This is by design, cause with Tacacs you can have the server send the banner and prompts down (although with ACS I don't think you can do it), and so if you have TACACS authentication configured the router ignores the banner command and waits to see if it gets one from the TACACS server itself. If it doesn't it'll just display the usual prompts.
As for the "tacacs-server admin" command, I honestly have no idea, never seen anyone use it. The on-line help says "start tacacs daemon handling administrative messages", but what that really does I don't know, maybe someone else can help.
11-26-2002 02:48 PM
The banner command doesn't work if you're doing TACACS authentication, it will work if you're doing Radius/local/etc. This is by design, cause with Tacacs you can have the server send the banner and prompts down (although with ACS I don't think you can do it), and so if you have TACACS authentication configured the router ignores the banner command and waits to see if it gets one from the TACACS server itself. If it doesn't it'll just display the usual prompts.
As for the "tacacs-server admin" command, I honestly have no idea, never seen anyone use it. The on-line help says "start tacacs daemon handling administrative messages", but what that really does I don't know, maybe someone else can help.
11-26-2002 03:20 PM
Hmm..I think I remember using the "tacacs-server admin" command in Wholesale Dial environments for the Resource Management Protocol used between the RPMS server and the NAS for heartbeat and audit checks.
11-27-2002 01:53 AM
As I suspected - but I didn't realise it was by design - and I'm surprised that ACS can't handle the banners. But thanks for the quick response!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide