Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
714
Views
0
Helpful
3
Replies

Problems with VPN3000 concentrator TACACS configuration

gassolini
Level 1
Level 1

‎07-12-2002 04:25 AM - edited ‎02-21-2020 11:55 AM

Hi, I have a problem with my Altiga. I try to configure TACACS for administrative management but I receive the following error:

41369 07/12/2002 14:09:55.390 SEV=4 AUTH/15 RPT=38

Server name = 10.21.25.53, type = TACACS+,

group = none (global server), status = Active

41373 07/12/2002 14:10:08.980 SEV=4 AUTH/9 RPT=43

Authentication failed: Reason = No error

handle = 83, server = 10.21.25.53, user = admin

What it means?

Thanks

Bye

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎07-14-2002 10:44 PM

Looks sort of like you don't have a user called "admin" in your TACACS server. An important thing to remember when using TACACS for your admin logins, is that as soon as you add a TACACS server in under the Administration - Access Rights - AAA Servers - Authentication menu, the usernames configured on the VPN3000 concentrator itself are no longer used. What I mean is that if you look under Administration - Access Rights - Administrators, you'll see 5 usernames that you can use to login with normally. when you add in a AAA server, these names are no longer used. The only thing that is used is the AAA Access Level configured under each of these users.

What you need to do is add users to your TACACS server, and set their privilege level on the TACACS server to be equal to one of these values unde teh 5 different users. These usernames do not have to be "admin", "cisco", "user" etc like you see on the concentrator, since as I said thery're not referenced any more. The only important thing is that the username on the TACACS server also has a privilege level that matches the AAA Access Level under one of these users. If it does, the user will then get the privilege's that you have defined under the VPN3000 user with that corresponding access level.

Difficult to understand, but basically ignore the usernames on the concentrator, and just look at the privileges and the access level number under those users.

0 Helpful

zabbas
Level 1
Level 1
In response to gfullage

‎07-15-2002 04:21 AM

What happens whent he TACACS server is unavailable, will it revert to the local usernames on the VPN concentrator ?

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to zabbas

‎07-15-2002 09:48 PM

I don't believe it does. It will go to teh next server in the list, but if it gets to the bottom of the list then it fails the connection. When this happens the only way to get in is directly connected to the console.

0 Helpful
Customers Also Viewed These Support Documents