10-11-2002 09:34 PM - edited 03-02-2019 02:01 AM
Is that possible to have Network Admins authenticate via tacacs for username and password and log all the transaction, but have a free flow for terminal server access? In other word, tacacs for Network admin but no tacacs for end user terminal server access. IF possible, is there any sample config that i can refer ?
regards,
Ganesh
10-14-2002 04:48 AM
Dear Ganesh,
This is not as difficult as it may seem. Under aaa configurtion, you specifiy for which connections you want to use a certain login-method.
It is not usual to make the TS-connection autjhenticate locally, but it can still be done. You will have to enter a username/passwd for any user on all servers to make this information locally available.
Below I have listed a setup as I use it myself and I have put some comment after the lines (following >) This is something that you can check in the aaa commands for yourself. Here we go:
define your user database:
user test1 passwd cisco
etc
aaa new-model
aaa authentication login default tacacs+ > describe the default method to authenticate, in your case this will be 'local', I presume.
aaa authentication login no_tacacs enable > used for console access, see below. The enable passwd is the passwd required for this method.
aaa authentication ppp default tacacs+ > the default for ppp sessions, can be omitted (as the default states local) or changed to local.
aaa authorization exec default tacacs+ > to get on the prompt, tacacs must be used. You will need this line.
aaa authorization network default tacacs+ > Applies to network connections
aaa accounting suppress null-username
aaa accounting update newinfo
aaa accounting exec default start-stop tacacs+ > Used to log connections
aaa accounting network default start-stop tacacs+ > similar
aaa accounting connection default start-stop tacacs+ > similar
in the config you need to define the tacacs server:
tacacs-server host 10.11.19.4
tacacs-server key -enter-your-key-here-
on the console line, create a backdoor:
line con 0
login authentication no_tacacs
This is not a tutorial, I did dis mainly by head.
I could set it up this way but dont nail on the exact syntax.
Hopefully, you have enough info now to get going.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide