VPN concentrator Tacacs admin rights

Unanswered Question
Sep 26th, 2007

I have just setup our VPN concentrator so that administrators can login and manage it using their domain accounts through our ACS server, versus the local username and password. However, it doesnt appear that if TACACS becomes unavailable, that it fails back to the local admin. Am I missing something?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
ajagadee Wed, 09/26/2007 - 12:54

Hi,

No, you are not missing anything. My understanding is, that is the default behavior the VPN3000 when you configure TACACS for Admin Access. If the AAA server is unavailable, there is no fallback mechanism to local.

** Snip **

Caution Misconfiguration of TACACS+ can lock an administrator out of the Concentrator HTML interface. If that happens, you can access the Concentrator by logging in through the console port, using your administrator username and password.

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/administration/guide/access.html#wp1507954

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

Richard Burts Fri, 09/28/2007 - 09:29

Matthew

I think that it is unfortunate that there is not in the concentrator software the kind of fall back that we are used to having with IOS based (or CatOS based) devices. It probably represents having been developed originally outside of Cisco.

While my customer uses TACACS to authenticate network administrators for almost all network devices for which it is supported, we decided to not use TACACS on the concentrator and the lack of fall back was one of the main factors in the decision.

HTH

Rick

Actions

This Discussion