03-04-2013 12:49 PM
Hello all,
I am implementing and ACS solution for authentication and authorization of my Cisco devices. So far everything Switch-ACS is working. I also want users to have to authenticate themselves with AD when they connect over SSH. That is currently working. As a failsafe incase the ACS fails, I would like users to be able to use local credentials via TELNET. This I cannot get working.
I configured VTY ports 0-4 for SSH only and attached the group for TACACS.
I configured VTY ports 5-15 for TELNET only and attached the group for LOCAL authentication.
When I connect using SSH, all is well. When I try using TELNET it does not allow me to log in (its trying to authenticate with AD).
Here is the config I have:
aaa authentication login CONSOLE local
aaa authentication login SSH group tacacs+
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+
aaa authorization network default group radius
aaa accounting system default start-stop group tacacs+
line con 0
exec-timeout 15 0
password 7 xxxxxxxx
login authentication CONSOLE
line vty 0 4
exec-timeout 15 0
password 7 xxxxxxxx
login authentication SSH
transport input telnet ssh
line vty 5 15
exec-timeout 15 0
password 7 xxxxxxx
login authentication CONSOLE
transport input ssh
Any help is appreciated.
Trent