Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

trouble configuring router login w/ACS

Status
Not open for further replies.
llathrop

llathrop

MIS
Joined
Mar 22, 2005
Messages
35
Location
US
Hi, i am having some trouble configuring my routers to correctly use our ACS server for login, etc.

The goal:
To login through network or console with an approved ACS user name and password, unless the network is down, or the ACS server is unavailable, in which case we would login with a backup local username/password.

The problem is:
I can log in through telnet, using ACS name/pass, but only if the ACS server is available. At the console, i can login, but i am not at the correct access level. If I type en, I am prompted for a password, i can't determine what it would be.

here is the relevant parts of the config:

Code: 
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
!
!
username netadmin password xxxxx
!
!
tacacs-server host xxx.xxx.xxx.xxx
tacacs-server directed-request
tacacs-server key xxxxxxx

Let me know and I'll provide any other bits of configuration that are needed

I appreciate your help!!

Luke.
 
Sort by date Sort by votes
Do you really want to use AAA for your "enable" authentication? The way you have it configured you would have to have your enable password configured in ACS.
 
Upvote 0 Downvote
Well, we want it so that when you login, you are already at level 15, and don't need to give an enable password. Does that make sense?

That is how it is working now, if you login through telnet. If you login at the console, you are level 1, but can give the enable command, but I can't determine which password to use--is it set somewhere on the acs server?

I also need it to fail back to allow me to logon at the console if the acs server is unavailable.

I appreciate your help!
 
Upvote 0 Downvote
As it is right now, you get privilege level 15 if you use Telnet? Can you include the config from your vty lines and console?
 
Upvote 0 Downvote
sure here you go:
Code: 
line con 0
line aux 0
line vty 0 4
password 7 xxxxxxx
I have messed around with various things here but none of the things I have tried had any affect so far. I believe I had
"login auth default"
on them all at one point, but it acted just the same.

Thanks!!
Luke
 
Upvote 0 Downvote
Try removing the "aaa authentication enable" command and adding "privilege level 15" to your vty and console lines.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
316
Blackybear
Blackybear
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
554
CPM86
CPM86
jarod_paris
  • Locked
  • Question Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
609
jarod_paris
jarod_paris
MoJHK
  • Locked
  • Question Question
Metro Ethernet trouble shootin
Replies
0
Views
308
MoJHK
MoJHK
WinstonCH
  • Locked
  • Helpful tip Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
890
BIS
BIS

Part and Inventory Search

Sponsor

Back
Top