Disable AAA TACACS Authentication for ENABLE VIEW

Leo Salcie Tejeda · ‎08-01-2013

Hi,

This is my first time at the forum!

I'm studyng for the CCNA Security cetification trying to implement the Role-base lab. I have sucessfully activated AAA authencation running ACS but I would like to disable TACACS Authentication for ENABLE VIEW Mode. I read the command "aaa authentication login default local" should enable the local authentication when TACACS group is NOT specified but still is tryng to authenticate with TACACS.

Attached a show run. Here the basic configuration:

Router#aaa new-model

Router# tacacs-server host 192.168.6.16single-connection

Router#tacacs-server key cisco

Router# aaa authentication login TACACS-AUTH group tacacs+ local

Router# aaa authentication login default local

Router# enable view

Router# conf t

Router# parser view SHOWMODE

Router#secret cisco

Router# commands exec include all show

Debugs:

ADSL-CubeCUCM#enable view

Password:

000032: Aug 1 16:57:14.454: AAA/AUTHEN/VIEW (00000004): Pick method list 'TACACS-AUTH'

% Authentication failed

ADSL-CubeCUCM#enable view SHOWMODE

Password:

000033: Aug 1 16:57:37.654: AAA/AUTHEN/VIEW (00000004): Pick method list 'TACACS-AUTH'

% Authentication failed

Regards

Please remember to rate useful posts clicking on the stars below.
Favor calificar todos las respuestas útiles dando click en las estrellas de mas abajo.
___________________________________________
LinkedIn Profile: do.linkedin.com/in/leosalcie

__________________________________________________
Please remember to rate useful posts clicking on the stars below.
LinkedIn Profile: do.linkedin.com/in/leosalcie

Leo Salcie Tejeda · ‎08-02-2013

Any help?

Please remember to rate useful posts clicking on the stars below.
Favor calificar todos las respuestas útiles dando click en las estrellas de mas abajo.
___________________________________________
LinkedIn Profile: do.linkedin.com/in/leosalcie

__________________________________________________
Please remember to rate useful posts clicking on the stars below.
LinkedIn Profile: do.linkedin.com/in/leosalcie

Jatin Katyal · ‎08-02-2013

The default group is tacacs+ and it's there.

TACACS-AUTH is called a method list and that is being called in line vty 0 4, that's the only reason it is still going to tacacs. If you want to point it towards local database, remove the command from line vty 0 4

aaa authentication login TACACS-AUTH group tacacs+ local

line con 0

password leoleo

line aux 0

line vty 0 4

password leoleo

no login authentication TACACS-AUTH

exit

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Leo Salcie Tejeda · ‎08-02-2013

Hi Jatin,

That command will disable the Line VTY authentication with ACS, I don't want that. I just want to disable the Enable View auhentication with ACS for local authentication.

Please remember to rate useful posts clicking on the stars below.
Favor calificar todos las respuestas útiles dando click en las estrellas de mas abajo.
___________________________________________
LinkedIn Profile: do.linkedin.com/in/leosalcie

__________________________________________________
Please remember to rate useful posts clicking on the stars below.
LinkedIn Profile: do.linkedin.com/in/leosalcie

Jatin Katyal · ‎08-02-2013

yeah it seems you're enabling view from line vty (telnet/ssh) so this will surely hit the tacacs server as per your configuration.

let's try to enable view from console.

You may also go through this

https://supportforums.cisco.com/docs/DOC-15765

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin