10-17-2008 09:21 AM - edited 03-10-2019 04:08 PM
I want to authenticate telnet connections with TACACS +.
This is my router configuration settings:
aaa new-model
aaa authentication login telnetssh group tacacs+ enable local
!
aaa session-id common
tacacs-server host 10.10.10.5
tacacs-server host 10.10.10.6
tacacs-server directed-request
tacacs-server key superclave
line vty 0 4
password CISCO
logging synchronous
login authentication telnetssh
transport input ssh
!
no cns aaa enable
The configuration in the ACS 4.1 is very simple, just set the following
===================
USER SETUP:
User: PRUEBA
User Setup:
Password Autehntication -> ACS Internal Database
PAP password/password
Group to which the user is assigned -> Grupo 1
Callback -> User group setting
Client IP Address Assignement -> Use group setting
Account Disable -> Never
Advanced TACACS+ Settings
TACACS+ Enable Control: -> Use Group Level Setting
TACACS+ Enable Password -> Use CiscoSecure PAP password
======================
GROUP SETUP:
Group Setup: Grupo 1
All default, except:
TACACS+Settings
Choice: Shell (exec)
Shell Command Authorization Set -> None
======================
In Network Configuration create a new client AAA
AAA client IP Address -> "ip_router"
Shared Secret superclave
Authenticate Using => TACACS + (Cisco IOS)
================
It doesn't work. What may be happening? Missing settings in the ACS?
10-17-2008 09:44 AM
Susana
My first guess at the problem is that the address used in ACS for the client does not match the source address used by the device when it sends the authentication request. If that is the case then you can use the command ip tacacs source-interface
to specify the address on the device that matches the configuration of ACS.The best way to check on this is to look in ACS at the failed attempts report. If you check the failed attempts report do you see the attempts from this device? If so the report will indicate what the error is.
HTH
Rick
10-20-2008 05:01 AM
Yes, as suggested by Rick please issue ip tacacs source interface command. This command is required for layer 3 device.
Even if you don't see any hits in acs failed attempts then also issue this command. Sometimes acs do not logs any message in failed attempts.
Regards,
~JG
Do rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide