AAA and Cisco MDS switches.........

Unanswered Question
Apr 12th, 2007
User Badges:

have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.

Could anyone help me in this regard.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading. Thu, 04/12/2007 - 07:22
User Badges:

SAK Mohan,

Are you authenticating against local or line after tacacs? Local will authenticate to a local username/password. Line will authenticate to the password on the vty line.

SAK_Mohan Thu, 04/12/2007 - 07:32
User Badges:

local. Below is the script I used to configure TACACS (Cisco ACS 4.0) on Cisco MDS switches.


config t


# Enable TACACS+


tacacs+ enable

tacacs-server host nnn.nnn.nnn.nnn key 0 xxxxxx

tacacs-server host mmm.mmm.mmm.mmm key 0 xxxxx


# Specify TACACS+ Server groups


aaa group server tacacs+ tacgrp

server nnn.nnn.nnn.nnn

server mmm.mmm.mmm.mmm


aaa authentication login default group tacgrp

aaa authentication login console local


# Enable TACACS+ Accounting


aaa accounting default group tacgrp local



copy running-config startup-config



MOhan Thu, 04/12/2007 - 07:44
User Badges:


Do you have a local username called admin created? Or are you trying to login as admin, and then using the vty password when there is no admin account created?

SAK_Mohan Thu, 04/12/2007 - 07:49
User Badges:

Thanks..... is there which is the default/local "admin" user that comes with Cisco MDS switches. I am using the right password.

This we need as a backdoor to Switches in case TACACS fails for some reason.



colin.mcnamara Thu, 04/12/2007 - 14:13
User Badges:
  • Bronze, 100 points or more

if you want it as a backdoor (for default login)

you need to add local at the end of your statement.

the following statement

aaa authentication login default group tacgrp

should be modified to

aaa authentication login default group tacgrp local

That will enable you to authenticate with a local account (assuming you have configured a local cli user) in the event of a AAA server outage.


SAK_Mohan Thu, 04/12/2007 - 15:17
User Badges:

THat is what I haebeen tying to configure....but unfortunately "local" option after "aaa authentication login default group tacgrp" is not available in Cisco MDS if i press Tab.

One more thing is..without the local option , I am able to login using locally created users with "netwok-admin" role but not the default "admin" user.......



This Discussion