What is the best way to ensure Console Port stays open when using TACACS+

Answered Question
Mar 20th, 2007

We have an assortment of 4507s, 2950s, and mid-size routers, all on TACACS+. We have physical security over all the devices, so we want the console port always available. We tried adding "login authen for-console" under line Con 0, and "aaa authen login for-console none", but that sometimes gives us an infinitly recuring login prompt. Whats the best way to always keep it open?

I have this problem too.
0 votes
Correct Answer by Richard Burts about 9 years 8 months ago

James

This will be independent of TACACS. Whether you should remove the TACACS lines from Console 0 depends on what is configured in aaa and on what you want the behavior to be. If you leave the TACACS lines on console 0 there will be no authentication and the console will be pretty much always open. (I say pretty much because if someone is on the console and when they finish they execute the logoff or quit or exit commands the console session will terminate and go back to the login prompt.)

If you remove the TACACS lines from console 0 and there is an aaa authentication login default configured then the console will be subject to this processing for authentication.

Based on what I think I understand of what you are trying to do I would leave the TACACS configured on the console as you have it and I would add the exec-timeout 0.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Tue, 03/20/2007 - 10:36

James

If I am understanding correctly what you are trying to do, then I suggest that you try:

exec-timeout 0

under line console 0. This will prevent the console from timeing out and presenting the login prompt. It will have the effect of always keeping the console open.

HTH

Rick

jimmyc_2 Tue, 03/20/2007 - 10:43

Thanks Rick,

This will be wholly independent of whether TACACs is up or not?

Should I then remove all TACACS lines in Con 0?

Thanks

Correct Answer
Richard Burts Tue, 03/20/2007 - 10:55

James

This will be independent of TACACS. Whether you should remove the TACACS lines from Console 0 depends on what is configured in aaa and on what you want the behavior to be. If you leave the TACACS lines on console 0 there will be no authentication and the console will be pretty much always open. (I say pretty much because if someone is on the console and when they finish they execute the logoff or quit or exit commands the console session will terminate and go back to the login prompt.)

If you remove the TACACS lines from console 0 and there is an aaa authentication login default configured then the console will be subject to this processing for authentication.

Based on what I think I understand of what you are trying to do I would leave the TACACS configured on the console as you have it and I would add the exec-timeout 0.

HTH

Rick

Richard Burts Tue, 03/20/2007 - 11:07

James

Thanks for using the rating system to indicate that a posting provided a solution for your issue. (and thanks for the rating) It makes the forum much more useful when someone can read about a problem and can know that they will read a solution to the problem. I encourage you to continue your participation in the forum.

HTH

Rick

Actions

This Discussion