Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
808
Views
0
Helpful
1
Replies

Issues Configuring AAA 'Client' Remotely

LeeBkr311
Level 1
Level 1

‎08-04-2004 11:35 AM - edited ‎03-10-2019 07:56 AM

I currently am implementing a ACS appliance I have it installed and configured to run as a TACACS+ server for our routers. Currently it has 2 users configured both have full access to all routers (max enable priviledge 15 for any client)I need to configure the clients remotely by means of telnet but, part way through the config I loose my connection because it then has to authorize to do further config commands but not having logged in previously I need to reconnect. When I go to reconnect it authenticates with the ACS but for some reason won't authorize. On a test network everything worked but, I was configuring through console cable at the time. The following are the steps I take each time to setup the client up until where the problems start (I chose to start with a router that is only a few miles away so I can go there and fix it if things go wrong but, I won't be able to do that when I'm trying to do this to routers in Leeds or Madrid or Melbourne etc. etc.):

(Telneted in and did the following)

....

Test1#reload in 000:20

Reload scheduled in 20 minutes

Proceed with reload? [confirm]

Test1#config t

Enter configuration commands, one per line. End with CNTL/Z.

Test1(config)#aaa new-model

Test1(config)#tacacs-server host 10.x.xx.xx single-connection

Test1(config)#tacacs-server key _xxxxxx_xxxxxxx_xxxx_

Test1(config)#tacacs-server timeout 20

Test1(config)#

Test1(config)#aaa authentication login default

Test1(config)#aaa authentication enable default tacacs+

Test1(config)#

Test1(config)#line vty 0 4

Test1(config-line)#login authentication default

Test1(config-line)#exit

Test1(config)#line con 0

Test1(config-line)#login authentication default

Test1(config-line)#exit

Test1(config)#

Test1(config)#aaa authorization network default tacacs+

Test1(config)#aaa authorization exec default tacacs+ if-authenticated

Test1(config)#aaa authorization commands 15 default tacacs+ if-authenticated

Test1(config)#aaa authorization config-commands

Command authorization failed.

Test1(config)#exit

Test1#exit

User Access Verification

Username: bakerd

Password:

% Authorization failed.

That's straight out of HyperTerminal

The following is the ACS's version of what happened

08/04/2004 16:25:11 Authen OK bakerd Global 10.x.xx.xxx tty2 10.x.xx.x

08/04/2004 16:25:11 Author failed bakerd Global 10.x.xx.xxx .. Service denied service=shell cmd* tty2 10.x.xx.x

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎08-05-2004 06:21 AM

It looks to me like it is more likely an issue with how users are defined in ACS than it is a configuration issue on the router. Have you turned on shell access for the users in ACS?

I would also make a suggestion that when you define authentication you provide for some backup method to cover cases where ACS/TACACS might not be available. So instead of having this:

Test1(config)#aaa authentication login default

Test1(config)#aaa authentication enable default tacacs+

you might want this:

Test1(config)#aaa authentication login default line

Test1(config)#aaa authentication enable default tacacs+ enable

This would allow the router to use the line passwords for user authentication and the enable password for privilege authentication if the ACS were not available.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents