04-23-2012 07:37 AM
I'm trying to set up reverse console access in the lab;
AUX port on router R1 is connected to Console port on switch SW1.
On R1 I have the following configuration;
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization reverse-access default group tacacs+ local
aaa accounting exec default
action-type stop-only
group tacacs+
!
aaa accounting commands 0 default
action-type stop-only
group tacacs+
!
aaa accounting commands 1 default
action-type stop-only
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
aaa session-id common
!
line aux 0
modem InOut
transport preferred telnet
transport input all
transport output all
flowcontrol hardware
I can telnet to R1, and then telnet to its own loopback0 interface on port 2001, which connects me to SW1;
r1#telnet 1.2.3.4 2001
Trying 1.2.3.4, 2001 ... Open
User Access Verification
Username: me
Password:
% Authorization failed.
[Connection to 1.2.3.4 closed by foreign host]
r1#
No matter what configuration I try I always get this "% Authorization failed". I can telnet to SW1, just fine with the following configuration, what's missing to allow reverse access to work correcrtly?
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 0 default stop-only group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
!
line con 0
privilege level 15
line vty 0 4
session-timeout 5
access-class 50 in
logging synchronous
transport input all
transport output all
04-26-2012 11:58 PM
Does this help?
04-27-2012 03:55 AM
Hi Andrew,
Thanks for the input but unfortunately I'm still stumped! I can't see why it wouldn't work, a bit more fiddeling, latest configs are below but it seems like it should work to me. I dropped "aaa authorization reverse-access default group tacacs+ local" from R1, now instead of being able to log into SW1 and get the "% Authorization failed." error, I get nothing and it just hangs indefinatly never actually logging in or failing.
R1;
aaa new-model ! aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa accounting exec default action-type stop-only group tacacs+ ! aaa accounting commands 0 default action-type stop-only group tacacs+ ! aaa accounting commands 1 default action-type stop-only group tacacs+ ! aaa accounting commands 15 default action-type start-stop group tacacs+ ! aaa session-id common
!
line aux 0 transport preferred none transport input telnet transport output none
SW1;
aaa new-model ! aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization console aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa accounting exec default stop-only group tacacs+ aaa accounting commands 0 default stop-only group tacacs+ aaa accounting commands 1 default stop-only group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ ! aaa session-id common
!
line con 0 privilege level 15
04-28-2012 11:35 AM
I have two suggestions:
- on R1 add under line aux 0
no exec
- on SW1 remove
aaa authorization console
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide