VPN concentrator Tacacs admin rights

Unanswered Question
Sep 26th, 2007
User Badges:

I have just setup our VPN concentrator so that administrators can login and manage it using their domain accounts through our ACS server, versus the local username and password. However, it doesnt appear that if TACACS becomes unavailable, that it fails back to the local admin. Am I missing something?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
ajagadee Wed, 09/26/2007 - 12:54
User Badges:
  • Cisco Employee,

Hi,


No, you are not missing anything. My understanding is, that is the default behavior the VPN3000 when you configure TACACS for Admin Access. If the AAA server is unavailable, there is no fallback mechanism to local.



** Snip **


Caution Misconfiguration of TACACS+ can lock an administrator out of the Concentrator HTML interface. If that happens, you can access the Concentrator by logging in through the console port, using your administrator username and password.


http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/administration/guide/access.html#wp1507954


I hope it helps.


Regards,

Arul


** Please rate all helpful posts **

Richard Burts Fri, 09/28/2007 - 09:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Matthew


I think that it is unfortunate that there is not in the concentrator software the kind of fall back that we are used to having with IOS based (or CatOS based) devices. It probably represents having been developed originally outside of Cisco.


While my customer uses TACACS to authenticate network administrators for almost all network devices for which it is supported, we decided to not use TACACS on the concentrator and the lack of fall back was one of the main factors in the decision.


HTH


Rick

Actions

This Discussion