AAA and Cisco MDS switches.........

Unanswered Question
Apr 12th, 2007

have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.

Could anyone help me in this regard.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
SAK_Mohan Thu, 04/12/2007 - 07:32

local. Below is the script I used to configure TACACS (Cisco ACS 4.0) on Cisco MDS switches.

----------------------------------------

config t

#---------------------------------------

# Enable TACACS+

#---------------------------------------

tacacs+ enable

tacacs-server host nnn.nnn.nnn.nnn key 0 xxxxxx

tacacs-server host mmm.mmm.mmm.mmm key 0 xxxxx

#--------------------------------------

# Specify TACACS+ Server groups

#---------------------------------------

aaa group server tacacs+ tacgrp

server nnn.nnn.nnn.nnn

server mmm.mmm.mmm.mmm

#---------------------------------------

aaa authentication login default group tacgrp

aaa authentication login console local

#---------------------------------------

# Enable TACACS+ Accounting

#---------------------------------------

aaa accounting default group tacgrp local

#---------------------------------------

end

copy running-config startup-config

----------------------------------------

Thanks

MOhan

SAK_Mohan Thu, 04/12/2007 - 07:49

Thanks.....

Yes....it is there which is the default/local "admin" user that comes with Cisco MDS switches. I am using the right password.

This we need as a backdoor to Switches in case TACACS fails for some reason.

Thanks

MOhan

colin.mcnamara Thu, 04/12/2007 - 14:13

if you want it as a backdoor (for default login)

you need to add local at the end of your statement.

the following statement

aaa authentication login default group tacgrp

should be modified to

aaa authentication login default group tacgrp local

That will enable you to authenticate with a local account (assuming you have configured a local cli user) in the event of a AAA server outage.

--Colin

SAK_Mohan Thu, 04/12/2007 - 15:17

THat is what I haebeen tying to configure....but unfortunately "local" option after "aaa authentication login default group tacgrp" is not available in Cisco MDS if i press Tab.

One more thing is..without the local option , I am able to login using locally created users with "netwok-admin" role but not the default "admin" user.......

--Mohan

Actions

This Discussion