Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Unable to telnet to router after becoming NAS

Status
Not open for further replies.
ekinike

ekinike

IS-IT--Management
Joined
Oct 20, 2001
Messages
123
Location
US
My problem is that in implementing ACS, I added some new commands to my router which I have designated as the NAS. As a result I am unable to telnet into the router. The commands I added are as follows:

aaa new-model

aaa authentication login default tacacs+
aaa authentication ppp default tacacs+

aaa authorization exec tacacs+
aaa authorization network tacacs+

aaa accounting network start-stop tacacs+
aaa accounting exec start-stop tacacs+

tacacs-server host (IP Address) single
tacacs-server key xxxxxxxxxxx

enable secret xxxxxxxx
aaa authentication login no_tacacs enable
line con 0
login authentication no_tacacs

Please advise on how I can allow telnet to my router as well. It was working fine before I added these commands.

Thanks.
 
Sort by date Sort by votes
i guess your first line is the problem.... your default local login is the tacacs+ server.. if u have a username and password on the tacacs+, u'll be authenticated..

if not, u'll fail the authentication, and the NAS won't try another method.. it'll just fail...

i suggest one of two options u take:

1. create a username and password on the tacacs+ server so u can be authenticated...

2. make the default local login, local.. with a local username and password on the NAS itself.. with this command:

username cisco password cisco
aaa authentication login default local

good luck..
 
Upvote 0 Downvote
Thanks for your response!!

Is there anyone to disable tacacs for telnet only at this point in time or allow for telnet to first search the tacacs for authentication and then revert to its normal login if it does not find anything?

Please advise.
 
Upvote 0 Downvote
Yes you can do that, here is a template for the command structure. I threw in a few extra things for you to concider (banners for specific things etc.) But this will allow the NAS to look-up TACACS or RADIUS if the loggin fails then it will look for the local accounts you built on the NAS. I seperated commands for things with brackets like this [Purpose]. I hope this helps you! The one you want to pay attention to is the [Set AAA Services] under that is where I point the login to go to a radius server if it fails it goes to local login, and you would still have to use secret to get to exec mode. Note you still need to create a local username and password for this to work I show that first. If you need more specific info just email me at tschouten at weltman.com



Router(config)# enable secret XYZ123(if not already performed)

Router(config)# username Sysadmin privilege 15 password xyz123

Router(config)# service password-encryption (if not already performed)


Router(config)# aaa new-model


[SET BANNERS]

Router(config)# aaa authentication banner @

*** Unauthorized Access Prohibited!! ***


---------------------WARNING--------------------
You have reached a private network. All access is
monitored and logged. Any unauthorized access will
be prosecuted under all local, state and federal
laws.
---------------------WARNING--------------------


*** Unauthorized Access Prohibited!! *** @


Router(config)# aaa authentication fail-message @

*** Login Attempt Failed *** @

[SET AAA SERVICES]

Router(config)# aaa authentication login default radius local-case enable

Router(config)# aaa authorization exec radius if-authent local

Router(config)#aaa accounting update periodic 5






Router(config)# aaa accounting ?

commands For exec (shell) commands.
connection For outbound connections. (telnet, rlogin)
exec For starting an exec (shell).
nested When starting PPP from EXEC, generate
NETWORK records before EXEC-STOP record.
network For network services. (PPP, SLIP, ARAP)
send Send records to accounting server.
suppress Do not generate accounting records for a
specific type of user.
system For System events.
update Enable accounting update records.
(whatever you want logged into the accounting)


[SET SERVER ADDRESS]

Router(config)# radius-server {ip address of server}

Router(config)# radius-server challenge-noecho









[Set Login on Lines ie. telnet, Modem, etc. Suggest using show line command to find out how many lines you have for everything.]




Router(config)# line 0 6
Router(config-line)# login authent default
Router(config-line)# exit

Router(config)# line vty 0 4
Router(config-line)# login authent default
Router(config-line)# exit


Router(config)# line con 0
Router(config-line)# login authent default
Router(config-line)# exit

Router(config)# line aux 0
Router(config-line)# login authent default
Router(config-line)# exit




 
Upvote 0 Downvote
Thanks so much!! Works great.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
389
badwolf1686
B
Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
306
Blackybear
Blackybear
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
541
CPM86
CPM86
Luzbel
  • Locked
  • Question Question
Connecting HVAC controller to network
Replies
0
Views
562
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
775
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top