Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2139
Views
0
Helpful
6
Replies

Tacacs+ on Line Con 0

Steven Williams
Level 4
Level 4

‎12-28-2018 12:52 PM

When configuring tacacs for a 2900 router what is the command that needs to be set to make sure console access uses tacacs first and if it cant reach tacacs server it will use local auth?

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎12-28-2018 02:09 PM

here is example modify as per your requirement.

 

aaa authentication login bb-network group tacacs+ local

 

ine vty 0 15

login authentication bb-network

 

line console 0

login authentication bb-network

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Steven Williams
Level 4
Level 4
In response to balaji.bandi

‎02-05-2019 05:39 AM

I get this error when I attempt this:

2960-01(config-line)#login authentication TACACS_SERVERS
AAA: Warning authentication list "TACACS_SERVERS" is not defined for LOGIN.

aaa group server tacacs+ TACACS_SERVERS
server-private 10.20.0.85 key ****
server-private 10.81.3.25 key ****
ip tacacs source-interface Vlan763
!
aaa authentication login default group TACACS_SERVERS local
aaa authentication login CONSOLE group TACACS_SERVERS local
aaa authentication enable default group TACACS_SERVERS enable
aaa authorization console
aaa authorization exec default group TACACS_SERVERS local
aaa authorization commands 0 15 group TACACS_SERVERS local
aaa accounting exec default start-stop group TACACS_SERVERS
aaa accounting commands 1 default start-stop group TACACS_SERVERS
aaa accounting commands 15 default start-stop group TACACS_SERVERS
aaa accounting connection default start-stop group TACACS_SERVERS
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Steven Williams

‎02-05-2019 06:28 AM

have you tried

login authentication default

 

and test and advise

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Steven Williams
Level 4
Level 4
In response to balaji.bandi

‎02-05-2019 08:24 AM

OK that worked. But why wouldnt the named instance work I wonder?
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Steven Williams

‎02-05-2019 08:50 AM

i had same issue some time back, the command was fixed. i could not get chance to investigate further.

 

Hope this is helpful, if this resolve make it as resolve for other community users can refer if this solution works.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Steven Williams

‎02-09-2019 11:07 AM - edited ‎02-09-2019 11:10 AM

The original poster asks why the named method did not work. We have only partial information and there might be something that we do not know which would change the answer. But based on the information given here is my explanation. I am assuming that in the commands given that we are in ling config mode for line con 0

login authentication TACACS_SERVERS

this would be pointing to a named access method TACACS_SERVERS

But TACACS_SERVERS is a server group and not a named access method.

 

We are given this in the partial config

aaa authentication login CONSOLE group TACACS_SERVERS local

so we have a named access method called CONSOLE which suggests that it was intended to specify the authentication on the console. So if the command at the very beginning had been (assuming that we are in line config mode for line con 0)

login authentication CONSOLE

then I believe that it would have worked.

 

HTH

 

Rick

 

[edit] the suggestion from BB to use login authentication default works because the configured default authentication method has the same parameters as the CONSOLE method  

 

 

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents