Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
6385
Views
5
Helpful
14
Replies

How to eliminate a double login from acs?

Go to solution
jawill47ec
Level 1
Level 1

ā€Ž01-24-2011 12:57 PM - edited ā€Ž03-10-2019 05:44 PM

Hello,

When using a cisco 2811 for terminal server connectivity, I am receiving tacacs login and password prompts twice:

   1) First from the Cisco 2811 terminal server

   2) Secondly from the console connected device which is also configured for tacacs.

Is it possible to eliminate the tacacs login and password prompt that is generated from the Cisco terminal server?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
m.kafka
Level 4
Level 4
In response to jawill47ec

ā€Ž01-31-2011 06:46 AM

james,

what is the exact configuration of the lines?

did you really enter:

  line 0/2/0 0/2/15

according to what I remember and the command description it should be:

line [tty] [start] [end]     where start and end are integer numbers. you can verify the correct line number with "show line"

what is your output for show run | begin line

i have the feeling that somehow your config didn't reach the correct line

View solution in original post

0 Helpful
14 Replies 14

Go to solution
andamani
Cisco Employee
Cisco Employee

ā€Ž01-24-2011 10:34 PM

hi,

Please share the configuration of the router.

you will have a configuration as follows or something similar:

aaa authentication login default group tacacs local.

Just put a "no " in front of this configuration. i.e. you need to do the following:

no aaa authentication login default group tacacs local.

this will disable the prompt of authentication on the router.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post answered if you feel your query is answered.

0 Helpful

Go to solution
jawill47ec
Level 1
Level 1
In response to andamani

ā€Ž01-25-2011 05:30 AM

Anisha,

Thanks for your post.  Here are the aaa statements:

aaa new-model
aaa authentication login default group tacacs+ line enable

aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated

tacacs-server host 1.1.1.1

tacacs-server host 1.1.1.1

To add additional information;

1) I want to keep the tacacs authentication when connecting to the Cisco 2811 terminal server via vty.

2) I want to eliminate the tacacs authentication when using any async connection from the terminal server to a given Cisco device (router, switch, etc..)

      (e.g. async 0/0/0 - 0/0/15).  This is where I am experiencing a tacacs authentication in attempting a connection to another Cisco devices console    port.  I know the tacacs authentication is coming from the terminal server, because I have tested with Cisco switches that have no configuration on them.

thanks,

james

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to jawill47ec

ā€Ž01-25-2011 05:57 AM

Hi James,

Got it ...

Try this:

no aaa authentication login default group tacacs+ line enable

aaa authentication login TEST group tacacs+ line enable

line vty 0 4

     login authentication test

line vty 5 15

     login authentication test

Let me know how it goes.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is answered.

Go to solution
jawill47ec
Level 1
Level 1
In response to andamani

ā€Ž01-25-2011 09:03 AM

Anisha,

Thanks again for your response.  I performed the (2) actions from your post:

  1) I removed the login default and replaced with login TEST

  2) Updated line vty for 0 - 15 and applied login authentication test statement

No success.  The same scenario is continuing.  The tacacs login is still happening upon selecting any of the async lines (0/0/0 - 0/0/15).

thanks,

james

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to jawill47ec

ā€Ž01-25-2011 06:22 PM

Hi,

Sorry my bad.. the login authentication method-list is case sensitive.

Try

login authentication TEST instead of login authentication test

Let me know how it goes.

Regards,

Anisha

0 Helpful

Go to solution
jawill47ec
Level 1
Level 1
In response to andamani

ā€Ž01-26-2011 05:56 AM

Anisha,

I used the same case for the method list.  IOS gave a warning message when I attempted in using two different cases.

thanks,

james

0 Helpful

Go to solution
m.kafka
Level 4
Level 4

ā€Ž01-27-2011 09:40 PM

Hi James,

If I understood you correctly you have two authentication requests: one generated by the terminal server and the second from the console of the device connected to the async line.

My remote access days are long long gone but I remember a quite dirty hack...

try to ignore vty authentication and focus on the async lines

if i'm not mistaken the default setting for lines in "aaa new model" mode is "authentication login default" and is hidden from the config because it's the default. At least the documentation says so:

This command is a per-line command used with AAA that specifies the name  of a list of AAA authentication methods to try at login. If no list is  specified, the default list is used (whether or not it is specified in  the command line).

Caution If you use a list-name value that was not configured with the aaa authentication login command, you will disable login on this line.

Entering the no version of login authentication has the same effect as entering the command with the default keyword.

Before issuing this command, create a list of authentication processes by using the global configuration aaa authentication login command.

even if you remove the aaa authentication list "default" it will not remove the aaa command from the async line. it is still there and hidden because it's default.

create a specific aaa authentication list for no aaa:

aaa authentication login NO_AAA none

and apply it to the async lines

line async 0/0/something

  login authentication NO_AAA

  no exec

  transport input telnet

if that doesn't help, what's the detailed debug aaa authentication output? which part is generating the aaa request based on what?

Hopefully that's a pointer... I have no router to test with

Rgds, MiKa

PS: if you are "desperate" give it a try with rotary groups, I'm not sure whether connections to rotary groups are governed by vty aaa settings, i couldn't find any reference to that in the documentation.

put the async 0/0/1 in rotary 1 and connect to port 3001

put the async 0/0/2 in rotary 2 and connect to port 3002 ect...

PPS: if you are in the mood for playing around, IOS has the feature to access async lines in a reverse telneet fashion also via ssh

0 Helpful

Go to solution
jawill47ec
Level 1
Level 1
In response to m.kafka

ā€Ž01-28-2011 01:30 PM

Mika,

Thanks for the post.  In trying the NO_AAA authentication list, it did not work. By adding the following;

aaa authentication login NO_AAA none

line 0/2/0 0/2/15
session-timeout 20
exec-timeout 45 0
login authentication NO_AAA
no exec
transport input telnet

I turned on AAA authentication debugging and continue to see the default list being used. 

AAA/BIND(00000124): Bind i/f Async0/2/0

AAA/AUTHEN/LOGIN (00000124): Pick method list 'default'

Basically the NO_AAA authentication list is being ignored.

I haven't looked at your other 2 suggestions but will do so and post back.

thanks,

james

0 Helpful

Go to solution
m.kafka
Level 4
Level 4
In response to jawill47ec

ā€Ž01-31-2011 03:23 AM

Hi James,

I see the following:

 
AAA/BIND(00000124): Bind i/f Async0/2/0
AAA/AUTHEN/LOGIN (00000124): Pick method list 'default'
Basically the NO_AAA authentication list is being ignored.

did you apply the config to the line or to the interface? Asyncs have  a sort of "dualism": interface async and the corresponding line

and honestly, my async/remote access days are really long ago, but maybe you should apply the NO_AAA to the async?

rgds,

mika

0 Helpful

Go to solution
jawill47ec
Level 1
Level 1
In response to m.kafka

ā€Ž01-31-2011 05:35 AM

Mika,

I applied the the NO_AAA list to the line.  The async interface does not have an option for login.

All L options are:

    l2-filter

    llc2

    load-interval

    logging

    loopback

The above is from IOS version 12.4.  I also looked for AAA commands but didn't see any;

   access-expression

   arp

   async (sub commands are default, dynamic and mode)

   autodetect.

Thanks for the reply.

james

0 Helpful

Go to solution
m.kafka
Level 4
Level 4
In response to jawill47ec

ā€Ž01-31-2011 06:46 AM

james,

what is the exact configuration of the lines?

did you really enter:

  line 0/2/0 0/2/15

according to what I remember and the command description it should be:

line [tty] [start] [end]     where start and end are integer numbers. you can verify the correct line number with "show line"

what is your output for show run | begin line

i have the feeling that somehow your config didn't reach the correct line

0 Helpful

Go to solution
jawill47ec
Level 1
Level 1
In response to m.kafka

ā€Ž01-31-2011 07:18 AM

Hello,

Got it.  Applying the login for NO_AAA under the tty lines, 34 - 49 eliminated the login.  Thank you for all your time and knowledge.  I appreciate it.

thanks,

james

0 Helpful

Go to solution
m.kafka
Level 4
Level 4
In response to jawill47ec

ā€Ž01-31-2011 01:06 PM

glad to help

MiKa

0 Helpful

Go to solution
markyd68a
Level 1
Level 1
In response to jawill47ec

ā€Ž03-30-2021 08:11 AM

Yes this worked for me too on a 2600 Terminal Server I just built, the double logon was annoying but now solved ... many thanks to those on this thread!

 

aaa authentication login default local
aaa authentication login NO_AAA_TSR none

 

line 33 48
exec-timeout 0 0
login authentication NO_AAA_TSR
no exec
transport input telnet

 

 

0 Helpful
Customers Also Viewed These Support Documents