Solved: authentication via console

griffith2009 · ‎02-08-2009

I have the next configuration:

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting commands 15 default start-stop group tacacs+

enable secret xxxxxxxxxxxxxxxxxxxxxxxx

username user password 7 yyyyyyyyyyyyyyyyyyyyyyyyyyyyy

line con 0

-----------------------------------------------

If i need to connect through console, the router requested username defined in server tacacs?

if I lose connection to the server tacacs, when i connect via console, the router requested username local "user"?

Richard Burts · ‎02-10-2009

Maria

If the console is set for default authentication then this line in the config from your original post is the one that will operate:

aaa authentication login default group tacacs+ local

and what it will do is that it will first attempt to authenticate with the TACACS server (so it will prompt for user name and password, which should be the name and password as configured in TACACS) and if it has lost connection to the TACACS server then it will prompt for user name and password to authenticate the local user name from the config.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎02-08-2009

Maria

Your configuration includes an authentication named method list of no_tacacs. But you do not show us where (if anywhere) that method is associated with interfaces or lines. And your post shows line con 0 and suggests that there are no config parameters under that line. Is this really the case?

If we accept the posted config at face value then we would believe that when you initiate login at the console that it would attempt to authenticate with tacacs and if it could not communicate with tacacs that it would authenticate with a locally configured user name.

HTH

Rick

HTH

Rick

Mohamed Sobair · ‎02-08-2009

Adding to Rick's,

1st you need to define which policy u are going to apply under Line consol 0.

this achieved by:

line con 0

login authentication default

or

login authentication (no_tacacs)

2nd u will need to define Tacacs server host and the Key to be used for encrypting the messages between the router and Tacacs server

HTH

Mohamed

griffith2009 · ‎02-09-2009

hi,

Yes in this conf i forget put this lines:

tacacs-server host 1.1.1.1

tacacs-server directed-request

tacacs-server key 7 xxxxxxxxxxxx

That conf was maked by before network administrator.

the method list no_tacacs is not referenced in the config.

I need authenticate in console by tacacs when i have conexion whith tacacs, when that is up, and authenticate with user local when tacacs is down.

With command:

line con 0

login authentication default

I can do this?

Richard Burts · ‎02-10-2009

Maria

If the console is set for default authentication then this line in the config from your original post is the one that will operate:

aaa authentication login default group tacacs+ local

and what it will do is that it will first attempt to authenticate with the TACACS server (so it will prompt for user name and password, which should be the name and password as configured in TACACS) and if it has lost connection to the TACACS server then it will prompt for user name and password to authenticate the local user name from the config.

HTH

Rick

HTH

Rick