Dial out Utility and AAA

jay_colby · ‎11-11-2004

I have users using the Cisco dial out utility to access other devices around the world. I do not want the dialout users to be authenticated. But I want to manage my as5xxx with my Tacacs server. What I am seeing, I have not implemneted aaa, is when I have a access class on line vty 0 4. I have to add they dialout users networks. Will my dialout users be authenticated to my tacacs? I would have thought not due to you telnet to a port number. What do you guys think?

Richard Burts · ‎11-12-2004

When you configure aaa it establishes a default authentication for anyone who is logging into the router. You can establish additional authentication methods to supplement this.

If you do want users who connect to vty (and perhaps console) to be authenticated via TACACS and want other users to not be authenticated then I would suggest that you configure the default method to be none and configure an additional method to use TACACS and assign it to the vty (and console if you want).

The config would look something like this:

aaa new-model

aaa authentication login default none

aaa authentication login vtyauth group tacacs+ line

aaa authentication enable default group tacacs+ enable

line console 0

login authentication vtyauth

line vty 0 4

login authentication vtyauth

some details may vary depending on the IOS version that you are running.

I have used an approach like this at a customer site and it works well for us. I hope it work as well for you.

HTH

Rick

HTH

Rick