I have a customer that wants to only use ssh for their vty in conjunction with their TACACS server and a local account. I have created the local account and configured their aaa authentication using the following cmd:
aaa authentication login default group tacacs+ local
I have also configured the correct TACACS key and server ip in the 6513. My issue is that for some reason I am not able to ssh to the switch using a TACACS account so when it fails quiet mode is eventually enabled and I get the following message ...
000076: Aug 1 09:19:40.287 EDT: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 25 secs, [user: netman] [Source: 184.108.40.206] [localport: 22] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 09:19:40 EDT Sat Aug 1 2009[OK]
After the message I find that the ACL: sl_def_acl is now enable and placed under the vty section of the running config and never clears after the default time. As a result, ssh is blocked.
So, after this occurs I manually removed the ACL from the vty and tried to enter my own ACL to allow access to TACACS hosts through using ssh on the vty lines and it worked but it won't let me save the config like this because it states that quiet mode is enabled. I didn't configure auto secure with this switch so I am wondering if I can disable quiet mode somehow ... I understand that its a good security mechanism but right now for troubleshooting purposes I would like to disable quiet mode or remove the extended ACL.
If anyone knows how to do this or have any suggestions for me to consider please respond ... thanks in advance!