cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
466
Views
4
Helpful
2
Replies

VPN concentrator Tacacs admin rights

matthewmphc
Level 1
Level 1

I have just setup our VPN concentrator so that administrators can login and manage it using their domain accounts through our ACS server, versus the local username and password. However, it doesnt appear that if TACACS becomes unavailable, that it fails back to the local admin. Am I missing something?

2 Replies 2

ajagadee
Cisco Employee
Cisco Employee

Hi,

No, you are not missing anything. My understanding is, that is the default behavior the VPN3000 when you configure TACACS for Admin Access. If the AAA server is unavailable, there is no fallback mechanism to local.

** Snip **

Caution Misconfiguration of TACACS+ can lock an administrator out of the Concentrator HTML interface. If that happens, you can access the Concentrator by logging in through the console port, using your administrator username and password.

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/administration/guide/access.html#wp1507954

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

Matthew

I think that it is unfortunate that there is not in the concentrator software the kind of fall back that we are used to having with IOS based (or CatOS based) devices. It probably represents having been developed originally outside of Cisco.

While my customer uses TACACS to authenticate network administrators for almost all network devices for which it is supported, we decided to not use TACACS on the concentrator and the lack of fall back was one of the main factors in the decision.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: