which config line lets me logon locally to router rather than through ACS?

Unanswered Question
Oct 2nd, 2009

aaa new-model

!

!

aaa group server radius cisco-acs

server-private 10.32.108.68 auth-port 1645 acct-port 1646 key u14c

server-private 10.32.0.9 auth-port 1812 acct-port 1813 key u14

ip radius source-interface BVI1

!

aaa authentication login default group cisco-acs local-case

aaa authentication login acs-login group cisco-acs local-case

aaa authentication login ssl-login group ssl-login

aaa authorization exec default group cisco-acs local

aaa accounting exec default start-stop group cisco-acs

username root privilege 15 secret 5 ccccccccccccc

username support secret 5 hhhhhhhhhhhhhhhhhhh

I am having problem login to router using acs database and am not sure if it is configured to logon locally if acs AUTHENTICATION FAILS .I am not able to logon locally a using root username

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Fri, 10/02/2009 - 06:07

aaa authentication login default group cisco-acs local-case

The username will be case sensitive. What is defined under your VTY's?

dhananjoy chowdhury Fri, 10/02/2009 - 11:41

The router might not allow you to authenticate via local, if the TACACS server is reachable.

Try disconnecting the interface on this router connecting to TACACS (if possible) or somehow make the TACACS IP unreachable for this router using an ACL.

Richard Burts Sun, 10/04/2009 - 19:07

ccde (whoever you are)

Your configuration has 3 method lists for login authentication:

aaa authentication login default group cisco-acs local-case

aaa authentication login acs-login group cisco-acs local-case

aaa authentication login ssl-login group ssl-login

Without knowing how your console and aux and vty lines are configured and knowing how you are attempting access, we can not tell which of these lines is the one controlling your authentication.

And dhananjoy is quite correct that in the first two methods you will not attempt local login unless the authentication server does not respond to the authentication request.

So can you provide additional details from the configuration (at a minimum the config of console, aux, and vty - and more of the config might be better) and of how you are attempting to access the router?

HTH

Rick

Actions

This Discussion