04-12-2007 07:10 AM - edited 03-10-2019 03:05 PM
have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.
Could anyone help me in this regard.
04-12-2007 07:22 AM
SAK Mohan,
Are you authenticating against local or line after tacacs? Local will authenticate to a local username/password. Line will authenticate to the password on the vty line.
04-12-2007 07:31 AM
blank
04-12-2007 07:32 AM
local. Below is the script I used to configure TACACS (Cisco ACS 4.0) on Cisco MDS switches.
----------------------------------------
config t
#---------------------------------------
# Enable TACACS+
#---------------------------------------
tacacs+ enable
tacacs-server host nnn.nnn.nnn.nnn key 0 xxxxxx
tacacs-server host mmm.mmm.mmm.mmm key 0 xxxxx
#--------------------------------------
# Specify TACACS+ Server groups
#---------------------------------------
aaa group server tacacs+ tacgrp
server nnn.nnn.nnn.nnn
server mmm.mmm.mmm.mmm
#---------------------------------------
aaa authentication login default group tacgrp
aaa authentication login console local
#---------------------------------------
# Enable TACACS+ Accounting
#---------------------------------------
aaa accounting default group tacgrp local
#---------------------------------------
end
copy running-config startup-config
----------------------------------------
Thanks
MOhan
04-12-2007 07:44 AM
Mohan,
Do you have a local username called admin created? Or are you trying to login as admin, and then using the vty password when there is no admin account created?
04-12-2007 07:49 AM
Thanks.....
Yes....it is there which is the default/local "admin" user that comes with Cisco MDS switches. I am using the right password.
This we need as a backdoor to Switches in case TACACS fails for some reason.
Thanks
MOhan
04-12-2007 02:13 PM
if you want it as a backdoor (for default login)
you need to add local at the end of your statement.
the following statement
aaa authentication login default group tacgrp
should be modified to
aaa authentication login default group tacgrp local
That will enable you to authenticate with a local account (assuming you have configured a local cli user) in the event of a AAA server outage.
--Colin
04-12-2007 03:17 PM
THat is what I haebeen tying to configure....but unfortunately "local" option after "aaa authentication login default group tacgrp" is not available in Cisco MDS if i press Tab.
One more thing is..without the local option , I am able to login using locally created users with "netwok-admin" role but not the default "admin" user.......
--Mohan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: