06-11-2010 03:04 AM - edited 03-10-2019 05:11 PM
Hi All,
I m trying to set up AAA authentication of around 300 routers through Cisco TACACS,i installed acs4.2 on a windows 2003 server and put following AAA commands in the router,tacacs server host and key mentioned on trialrouter
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec NO_AUTHOR none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 1 NO_AUTHOR none
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization commands 15 NO_AUTHOR none
aaa authorization network serial none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
!
aaa session-id common
then i created a user and mentioned a secret key on the acs server,i added this router as AAA client , the router stopped responding to previous login name and password but was not responding to username defined in the acs,where am i makin a mistake?Kindly help.
Thanks.
Solved! Go to Solution.
06-11-2010 04:32 AM
Anu,
Are you getting tacacs user-name \\ password prompt ?
if you are getting user-name \\ password prompt and its not taking tacacs credentials, could you please login with local user-name \\ password and run the debugs.
debug tacacs
debug aaa authentication
term mon
After this try to login again with tacacs user-name \\ password and send me the output.
Do attach the failed attemopts from the ACS >> reports and activity.
HTH
JK
Do rate helpful posts-
06-11-2010 08:41 AM
Hi Anu,
On Layer 3 device we should have tacacs source interface defined since there are more then one interface. To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration or server-group configuration mode.
The following example makes TACACS+ use the IP address of subinterface "s2" for all outgoing TACACS+ packets:
ip tacacs source-interface s2
Usage Guidelines
Use this command to set the IP address of a subinterface for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.
This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this situation, add an IP address to the subinterface or bring the interface to the up state.
If there is still any issue please share the debugs.
Regards,
~JG
Do rate helpful posts
06-12-2010 02:42 AM
Anu,
Create a full access command set by looking the link
After that associate the command set with the group where user belongs to.
HTH
JK
Do rate helpful posts-
06-12-2010 04:20 AM
For different permission level, check this:
HTH
JK
Do rate helpful posts-
06-11-2010 04:32 AM
Anu,
Are you getting tacacs user-name \\ password prompt ?
if you are getting user-name \\ password prompt and its not taking tacacs credentials, could you please login with local user-name \\ password and run the debugs.
debug tacacs
debug aaa authentication
term mon
After this try to login again with tacacs user-name \\ password and send me the output.
Do attach the failed attemopts from the ACS >> reports and activity.
HTH
JK
Do rate helpful posts-
06-11-2010 08:41 AM
Hi Anu,
On Layer 3 device we should have tacacs source interface defined since there are more then one interface. To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration or server-group configuration mode.
The following example makes TACACS+ use the IP address of subinterface "s2" for all outgoing TACACS+ packets:
ip tacacs source-interface s2
Usage Guidelines
Use this command to set the IP address of a subinterface for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.
This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this situation, add an IP address to the subinterface or bring the interface to the up state.
If there is still any issue please share the debugs.
Regards,
~JG
Do rate helpful posts
06-12-2010 12:51 AM
Dear All,
I logged into the AAA client using user configured in acs and password,but i am not able to run any command as it gives error
Command authorization failed.
^
% Invalid input detected at '^' marker.
the AAA command are given above,Kindly suggest what should i do to run the commands.
06-12-2010 02:42 AM
Anu,
Create a full access command set by looking the link
After that associate the command set with the group where user belongs to.
HTH
JK
Do rate helpful posts-
06-12-2010 04:02 AM
Hi,
I could get full level 15 access to my test router through TACACS.I have to get 900 routers authenticated using TACACS,believe it supports the no..I wish to create three level of users just like suggested in the link,should i create three users with different permissions and use them on clients as i wish to keep all the clients in the default group.
Kindy suggest if this is fine or any other approch should be there.
06-12-2010 04:20 AM
For different permission level, check this:
HTH
JK
Do rate helpful posts-
06-15-2010 06:16 AM
Hi,
I prepared two command sets in ACS and got few devices authorized butat that very moment console login is also autheticated,which i dont plan to do.I wish that console access remains non authenticated.At the moment when trying to login,Authentication fails when i tried to login using local user login and password.
Kindly help.
Thanks.
06-15-2010 07:56 AM
Hi Anu,
For that we need to set up Method list so that console is authenticated locally. Here are the commands we need
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login con local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
line con 0
Router(config-line)# login authentication con-----> Where " con" is the name of method list we created above.
Regards,
~JG
Do rate helpful post
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide