cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12112
Views
1
Helpful
16
Replies

AAA configuration on switches 2960

carolinac
Level 1
Level 1

Hi

I have introduced the following configuration of AAA in the switches of series 2950 and works very well,

but when I do the same in switches 2960, the local password does not work and it is obligatory to introduce the switch in the ACS to have management of the switch.

Is needed some additional configuration of AAA in switches 2960?

Thanks.

tacacs-server host y.y.y.y

tacacs-server key xxxxx

aaa new-model

aaa authentication login acceso-consola group tacacs+ line

aaa authentication login acceso-telnet group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

line con 0

exec-timeout 0 0

login authentication acceso-consola

line vty 0 4

login authentication acceso-telnet

16 Replies 16

craig.eyre
Level 1
Level 1

Hi,

Are you saying the local password doesn't work while the ACS is UP? If so, its designed to work that way to prevent local authentication while its active.

If you are saying that the local password doesn't work when the ACS fails, its because you used

aaa authentication login acceso-telnet group tacacs+ line

And your telnet lines show no password command enter under your config you posted.

HTH

Craig

Hi

The configuration has the password

line vty 0 4

password 1234

login authentication acceso-telnet

but doesn't work with the local passwords.

Get the debugs and that will let us know what is happening,

debug aaa authentication

debug tacacs

Regards,

~JG

Hi.

I have made the debug. See the attachments.

Maria

Perhaps some clarification of your environment might help us. In particular it would help to understand how you produce the "without ACS" environment.

Clearly the switch is still configured for ACS. And clearly there is connectivity from the switch to the ACS. And the ACS is responding to the authentication request from the switch. I am not sure what the errno 254 represents or what on the ACS server causes it. Perhaps you can help us understand that?

I had a situation at one point that may have been similar to your situation. Our devices were sending requests to ACS. But ACS was not able to communicate with the external DB because one of the services on ACS was not running. ACS responded with an error indicating unable to process. But the IOS devices were not interpreting that as an error that should send them to the backup authentication method.

If you are stopping something on the ACS server then I would suggest that a better test would be to break IP connectivity between the switch and the ACS so that the switch receives no response to its request or to change the configured IP address for the server in the switc and point to some device not running ACS so that the switch receives a port unreachable response to its request. Those would give you a better test of without ACS.

HTH

Rick

HTH

Rick

Hi

The problem is:

1. I have introduced the AAA configuration in the switches WS-C2960-24TT-L and the local password does not work. I do not have management of the switch.

2. If I add the switch to the ACS,it authenticates and it works well.

Recently I update the version to qualify ssh to 12.2(44)SE. This can affect in something? or do I need some additional configuration ?

Maria

If it works well when you add the switch to ACS then it seems to me to be obvious that the best solution is to add the switches to ACS.

HTH

Rick

HTH

Rick

Hi,

I would have to agree with Rick on this one. If you add the switch to the ACS and it works, that's the whole design behind the AAA/ACS process.

Before you add the switch to the ACS what prompt do you get when you login to the switch? Username then password prompts or just a password prompt? Are you trying to telnet or console in or both? Have you configured a local user on the switch with privlege 15?

If you could post the whole switch config minus passwords of course, we could have a look.

Other than that the config for AAA looks good and seems to be working properly when you add the switch to the ACS.

Craig

hi

My initial question is if some special configuration is needed for 2960 switches so that it accepts local passwords. That is what it does not work. I do not have any prompt. I do not have management of the switch.

Maria

I have asked for some clarification about the environment which you have not yet provided. So it is difficult to have really good answers to your question. But it is obvious that you have an inconsistent environment and that is what is causing your problem. You have told the switches to use TACACS but you have not told the server to respond to the switches.

The solution to your problem is consistency. Either configure both the switches and the ACS server for authentication or remove the TACACS configuration from the switches. That is the special configuration that will solve your problem.

HTH

Rick

HTH

Rick

Hi

My problem is not with the ACS and tacacs. It works fine.

But suppose that the ACS fails. I must enter to switches by local passwords and if they do not serve to me......?

The configuration that i am sending in the attatchment is the same configuration i use in switch series 2900,2950,2970, and in no one of them i have that problem, Only with switches 2960.

I send again the debug.

thanks,

Maria

I would ask you to do a test with a 2950 which works as you want. Do the same kind of failure with the 2950 that you were doing with the 2960 and run the debugs and then post the output.

If we see that the 2950 also receives the response with errno 254 and that the 2950 does go ahead and use the line password, then we will know that there is some problem with the 2960.

HTH

Rick

HTH

Rick

Hi,

I enter to a switch 2950SX-24 with local passwords without problems and done the debug.

Maria

Thanks for running the test on the 2950 and posting the output. It shows, as I expected it would, that the ACS response to the 2950 is significantly different from its response to the 2960. And the significantly different response to the 2950 allows the 2950 to use the local password. If you get the same response to the 2960 it will also use the local password.

From the test results on the 2950 here are the essential output:

3d00h: TAC+: received bad AUTHEN packet: type = 0, expected 1

3d00h: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).

And from the 2960 here is the equivalent output:

Oct 3 11:16:07: TPLUS(00000003)/0/READ: errno 254

It looks to me like either you have configured something significantly differently in ACS for the 2960 than you did for the 2950 or that the way that you create the error is significantly different on the 2960 than it is on the 2950.

In any case it is the different response from ACS that prevents the 2960 from using the local password. If the ACS returns the same message to the 2960 as it does to the 2950 then I believe that the 2960 will use the local password.

HTH

Rick

HTH

Rick