Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
999
Views
0
Helpful
3
Replies

Problems with ACS

rbarroso
Level 1
Level 1

‎06-25-2004 07:32 AM - edited ‎03-10-2019 01:44 PM

Hi, we have a Cisco Catalyst 6513 Switch as CORE.

The transport protocol is SSH, and the authorization is ACS server (RADIUS). The ACS server get the user information from Domain Users.

If I, configure the Switch to authorize vía ACS, any group created in it, have permision.

And, the local user don't work.

The configurarion Lines is:

aaa new-model

username admin secret "password"

aaa authentication login "G_my_group" group radius local

line vty 0 4

login authentication "G_my_group"

Any Idea?

regards.

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎06-25-2004 10:53 AM

It seems to me that you may expect something that is different from the way that aaa works. From your description it seems that you have configured:

aaa authentication login "G_my_group" group radius local

and expect it to provide alternative authentication (authenticate with Radius OR authenticate with local). What aaa does is to treat the second method as a backup (it will try Radius and only if it gets no response will it try the local authentication).

Rick

HTH

Rick
0 Helpful

kevin_miller
Level 1
Level 1

‎06-29-2004 07:09 PM

For VTY lines, "login authentication default" is the default authentication method. So, you can do this to have your MSFC try tacacs first, then fail over to your enable secret password.

If your problem is that your NT group membership isn't working - I'd look at your ACS group mappings. Make sure the "All other combinations" didn't map instead of the group you wanted. That happens sometimes.

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

tacacs-server host 1.1.1.1 key xxxx

tacacs-server host 2.2.2.2 key xxxx

enable secret yyyy

line 0 4

login authentication default

0 Helpful

s.uslay
Level 1
Level 1

‎06-29-2004 07:38 PM

do you have user "admin" defined in Radius server ?

Do you see that authentication request reaching ACS ?

you can check this in "Failed attempts" section of "reports and activity"...

If it does not reach ACS then you have a problem with Radius definition (IP address, secret key)..

I am also confused that you said transport protocol SSH but you don't have crypto statement or "transport input ssh (or all) " under line vty 0 4 ?

You have to iplement SSH with AAA step-by-step.

1) first try local Telnet login with no Radius

2) try Telnet login with radius and local database on ACS

3) try 2 with external database (DOmain users ?? is it Active Directory ?)

4) try local SSH (check IOS, CatOS versions and bugs )

5) Try SSH over AAA

Serhat

0 Helpful
Customers Also Viewed These Support Documents