authentication via console

Answered Question
Feb 8th, 2009
User Badges:

I have the next configuration:


aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting commands 15 default start-stop group tacacs+


enable secret xxxxxxxxxxxxxxxxxxxxxxxx


username user password 7 yyyyyyyyyyyyyyyyyyyyyyyyyyyyy



line con 0


-----------------------------------------------


If i need to connect through console, the router requested username defined in server tacacs?


if I lose connection to the server tacacs, when i connect via console, the router requested username local "user"?

Correct Answer by Richard Burts about 8 years 2 months ago

Maria


If the console is set for default authentication then this line in the config from your original post is the one that will operate:

aaa authentication login default group tacacs+ local

and what it will do is that it will first attempt to authenticate with the TACACS server (so it will prompt for user name and password, which should be the name and password as configured in TACACS) and if it has lost connection to the TACACS server then it will prompt for user name and password to authenticate the local user name from the config.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Richard Burts Sun, 02/08/2009 - 20:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Maria


Your configuration includes an authentication named method list of no_tacacs. But you do not show us where (if anywhere) that method is associated with interfaces or lines. And your post shows line con 0 and suggests that there are no config parameters under that line. Is this really the case?


If we accept the posted config at face value then we would believe that when you initiate login at the console that it would attempt to authenticate with tacacs and if it could not communicate with tacacs that it would authenticate with a locally configured user name.


HTH


Rick

Mohamed Sobair Sun, 02/08/2009 - 22:11
User Badges:
  • Gold, 750 points or more

Adding to Rick's,


1st you need to define which policy u are going to apply under Line consol 0.


this achieved by:


line con 0

login authentication default

or

login authentication (no_tacacs)


2nd u will need to define Tacacs server host and the Key to be used for encrypting the messages between the router and Tacacs server



HTH

Mohamed

griffith2009 Mon, 02/09/2009 - 14:55
User Badges:

hi,


Yes in this conf i forget put this lines:


tacacs-server host 1.1.1.1

tacacs-server directed-request

tacacs-server key 7 xxxxxxxxxxxx


That conf was maked by before network administrator.


the method list no_tacacs is not referenced in the config.


I need authenticate in console by tacacs when i have conexion whith tacacs, when that is up, and authenticate with user local when tacacs is down.


With command:

line con 0

login authentication default


I can do this?


Correct Answer
Richard Burts Tue, 02/10/2009 - 10:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Maria


If the console is set for default authentication then this line in the config from your original post is the one that will operate:

aaa authentication login default group tacacs+ local

and what it will do is that it will first attempt to authenticate with the TACACS server (so it will prompt for user name and password, which should be the name and password as configured in TACACS) and if it has lost connection to the TACACS server then it will prompt for user name and password to authenticate the local user name from the config.


HTH


Rick

Actions

This Discussion