04-24-2008 11:00 AM - edited 03-10-2019 03:48 PM
I have most of my customers Network Devices set to use tacacs+ thru an ACS server to authenticate Remote Admins whom ssh to these devices.
I was attempting to set up a cryptic password as the authentication means for Console access to any of the devices. This in case we have to log into any of the devices locally, and the ACS server not being available for any reason.
I used the IOS command "password" and then configured a Password. However when testing, the devices all still ask for a username when I connect to a console port to login.
Is there any reason this would be happening?
Thanks
04-24-2008 01:24 PM
Remove the login local command under the
line console configuration.
Router(config)#line con 0
Router(config-line)#no login local
Regards,
~JG
Do rate helpful posts
04-24-2008 05:48 PM
Thanks. That is what I needed.
04-25-2008 04:51 AM
Please mark it resolved , so other can benefit from it.
04-25-2008 08:20 AM
If I have understood the original post then I do not believe that it is an issue of login local. If aaa new-model is configured so that the vty will authenticate to ACS then it also means that the console will authenticate with the default authentication method - which is probably set to TACACS.
If you do not want the console to authenticate with tacacs then try configuring this:
aaa authentication login consoleauth line
line con 0
login authentication consoleauth
HTH
Rick
04-25-2008 09:04 AM
Opps sorry my bad.
Rick is 100% correct here, we need to make method list for console.
Thanks for correction Rick
04-25-2008 09:19 AM
JG
no problem. we all help to keep each other straight. that is part of what makes the forum so very good.
HTH
Rick
04-26-2008 05:21 AM
Gentlemen
Let me take this a step furthur. If I configure the following statement, does this not roll back the local userbase if in fact tacacs does not respond?
aaa authentication default group tacacs local
I had moved forward and configured this on not only the vty lines (which are the most vulnerable to UA attempts), but on the console line as well by using:
router#line con 0
router-line#login authentication default
Thanks for the both of your participation in this. I look forward to your response. I want my customers networks to be as secure as possible.
Kevin
04-26-2008 01:51 PM
Kevin
Perhaps it is a terminology thing but I am not clear what you are asking when you say:"does this not roll back the local userbase if in fact tacacs does not respond".
So let me respond by saying what that command will do.
aaa authentication default group tacacs local
will attempt to authenticate with configured tacacs server(s) and if there is no response from tacacs or if the response from tacacs is error (note that fail is a very different response than error) then it will attempt to authenticate with locally configured userID and password. If attempting local authentication and if the entered userID does not exist in the locally configured set of users or if the entered password does not match the configured password for the userID entered then authentication will fail.
HTH
Rick
04-26-2008 06:07 PM
Yes my terminology may be not as concise as it should have been. Your answer however is a great and thorough answer, Rick. In the event that the tacacs daemon (in my case the ACS box) cannot be reached because he is down, then the local username and password (which I had called a userbase incorrectly i suppose) will be used. Whereas if tacacs does respond and it is a REJECT, then the user is not authenticated and is not allowed access.
Great job!
Kevin
04-27-2008 05:41 PM
Kevin
Thank you for the compliment. I am really gratified when someone expresses appreciation for my response.
I try to not say that someone's terminology is wrong because they may be speaking in some context I am not familiar with or have something in their background that gives the term meaning. So if I do not understand it I generally say it is not clear to me and ask for clarification. In this case I was pretty clear what you meant with userbase. What I did not understand was ROLL BACK the userbase.
I am glad that I was able to explain the functionality in a way that made sense to you.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: