Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1500
Views
0
Helpful
6
Replies

AAA for Cisco MDS Switches

Go to solution
SAK_Mohan
Level 1
Level 1

‎04-12-2007 07:09 AM

I have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.

Could anyone help me in this regard.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
inch
Level 3
Level 3
In response to colin.mcnamara

‎04-12-2007 03:53 PM

One really annoying thing is there is a slight change from sanos 1,2 and sanos 3.

console access via a local account had two diff aaa configs (ignore the radius part).

Sanos 1 & 2:

aaa authentication login default group radius local

aaa accounting default group radius local

sanos 3:

aaa authentication login default group radius local

aaa authentication login console local

aaa accounting default group radius

Only slight changes and sanos 3 is the "real" way of doing it. It could catch people out during an upgrade if they are unaware!

Cherers

Andrew

View solution in original post

0 Helpful

Go to solution
colin.mcnamara
Level 4
Level 4
In response to SAK_Mohan

‎04-13-2007 10:58 AM

Happy to help.

Please feel free to rate posts that helped you out ;)

View solution in original post

0 Helpful
6 Replies 6

Go to solution
colin.mcnamara
Level 4
Level 4

‎04-12-2007 02:08 PM

You have two options.

1. Configure an "admin" user in AD. (note that you don't have to use the account named admin, you can just as easily assign a local user with the network-admin role).One thing to note, is that you normally use this local account in case the tacacs+ or radius authentication server goes down.

You can have users configured locally and AD at the same time. If you are running AAA the default config is to check your AAA servers first, if they are not available, then to default to a local account

2. Configure your local network-admin role user and then specify that say console access is authenticated locally, while ssh and telnet is authenticated through tacacs. This will allow you to always get in with a local account through the console, while it will force SSH and Telnet connections to authenticate through the AAA servers.

You can find this option in Device Manager > Security > AAA > Applications

If you found this helpful, please give it a rating.

0 Helpful

Go to solution
SAK_Mohan
Level 1
Level 1
In response to colin.mcnamara

‎04-12-2007 03:34 PM

Option 1:-

I have already configured AD user with netwok-admin role who are able to login after successfull authentication by TACACS. It is ben configured to check TACACS first and then local.

I just want to be able to login as default "admin" user via telnet. I am able to login as "admin" via FM/DM

Option 2:-

I need to have telnet/ssh access uaing locally residing and default user "admin". I am able to login as other locally created users with "network-admin" role. Since the switches are located 1000's of miles

away, I need telnet access for admin in case tacacs server goes down.

I am stilll confused why the default "admin" user is not woking via telnet but everything else whether local/tacacs user.

--Mohan

0 Helpful

Go to solution
colin.mcnamara
Level 4
Level 4
In response to SAK_Mohan

‎04-12-2007 03:41 PM

Your configuration says that only console access is configured to check local. The first method is only configured to use the Tacacs+ group. If you add a local statement to end of the first line, it will allow you to get in ONLY if the tacacs+ server is down.

Try to keep in mind that AAA groups are processed in the same config line. If you don't have a valid auth method by the end of the line, you are out of luck.

Well, the thing about the AAA order is that you only go and check the next resource in the event your primary resource is unavailable.

It is likely since you do not have the "admin" account in your AD that the TACACS+ server is returning a message to deny access.

When the MDS observes the message to deny access to a user, then that is that. It will not go further down the list to say its local database.

--Colin

0 Helpful

Go to solution
inch
Level 3
Level 3
In response to colin.mcnamara

‎04-12-2007 03:53 PM

One really annoying thing is there is a slight change from sanos 1,2 and sanos 3.

console access via a local account had two diff aaa configs (ignore the radius part).

Sanos 1 & 2:

aaa authentication login default group radius local

aaa accounting default group radius local

sanos 3:

aaa authentication login default group radius local

aaa authentication login console local

aaa accounting default group radius

Only slight changes and sanos 3 is the "real" way of doing it. It could catch people out during an upgrade if they are unaware!

Cherers

Andrew

0 Helpful

Go to solution
SAK_Mohan
Level 1
Level 1
In response to inch

‎04-13-2007 10:57 AM

Thanks guys ...it worked after adding "local" at the end of the line.

Kudos to you guys....

Mohan

0 Helpful

Go to solution
colin.mcnamara
Level 4
Level 4
In response to SAK_Mohan

‎04-13-2007 10:58 AM

Happy to help.

Please feel free to rate posts that helped you out ;)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents