2611xm Terminal Server + ACS + reauthentication when selecting menu options

Answered Question
Feb 25th, 2010

Hi,

I've managed to setup ACS Authentication on my  2611xm router,

after you login to the router I have a autocommand setup to run a menu.

My problem is  when you select the option on the menu,

You are then re prompted to reauthenicated against  the router again before connecting to the line,

can any one tell me how  to stop this from happening.

Thanks for your time and effort in advance, I  have enclosed a config below.

DDRAS01#sh running-config

Building  configuration...

Current configuration : 6854 bytes

!

! Last  configuration change at 10:28:49 AEST Sun Feb 21 2010 by <removed>

!  NVRAM config last updated at 19:25:53 AEST Sat Feb 20 2010 by  <removed>

!

version 12.4

service timestamps  debug datetime msec

service timestamps log datetime msec

service  password-encryption

service linenumber

service  sequence-numbers

!

hostname DDRAS01

!

boot-start-marker

boot-end-marker

!

security  authentication failure rate 3 log

security passwords min-length 6

logging  buffered 51200 informational

logging rate-limit all 10000

logging  console critical

enable password 7 <removed>

!

aaa  new-model

!

!

aaa authentication login default group  tacacs+ local

aaa authentication login if_needed local

aaa  authentication enable default enable

aaa authentication ppp  default local

aaa authorization exec default group tacacs+ local  if-authenticated

aaa accounting exec default start-stop group  tacacs+

aaa accounting commands 15 default start-stop group  tacacs+

!

aaa session-id common

clock timezone AEST 10

clock  summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 3:00

no  network-clock-participate slot 1

no network-clock-participate wic  0

ip cef

!

!

!

!

ip domain list  <removed>

ip domain list <removed>

ip domain  name <removed>

ip host dd-cr-01e 2033 172.16.1.1

ip  host ddsws01 2034 172.16.1.1

ip host ddsws04 2035 172.16.1.1

ip  host ddce565 2040 172.16.1.1

ip name-server <removed>

ip  name-server <removed>

!

!

!

username  netops privilege 15 password 7 <removed>

!

!

ip  ssh source-interface FastEthernet0/0

ip ssh logging events

ip  ssh version 2

!

!

interface Loopback0

ip  address 172.16.1.1 255.255.255.255

!

interface  FastEthernet0/0

ip address <removed> 255.255.255.0

speed 100

full-duplex

!

interface Serial0/0

no  ip address

shutdown

!

interface BRI0/0

no ip  address

encapsulation hdlc

shutdown

!

interface  FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0  0.0.0.0 <removed>

!

ip http server

no ip http  secure-server

ip tacacs source-interface FastEthernet0/0

!

ip  radius source-interface FastEthernet0/0

logging facility local6

logging  <removed>

snmp-server community <removed> RO

snmp-server  community <removed> RW

snmp-server location <removed>

snmp-server  contact NetOps

!

menu ddras01 title ^C

Cisco  Terminal Server

Select the number from the list below

Use  'ctrl+shift+6' then 'x' to switch back to the menu

^C

menu  ddras01 text 1 Connect to DD-CR-01

menu ddras01 command 1 resume  dd-cr-01 /connect telnet dd-cr-01 2033

menu ddras01 text 2 Connect  to DDSWS01

menu ddras01 command 2 resume ddsws01 /connect telnet  ddsws01 2034

menu ddras01 text 3 Connect to DDSWS04

menu  ddras01 command 3 resume ddsws04 /connect telnet ddsws04 2035

menu  ddras01 text 8 Connect to DDCE565

menu ddras01 command 8 resume  ddce565 /connect telnet ddce565 2040

menu ddras01 text 9 Exit

menu  ddras01 command 9 menu-exit

menu ddras01 clear-screen

menu  ddras01 status-line

menu ddras01 line-mode

tacacs-server  host 10.2.0.50

tacacs-server directed-request

tacacs-server  key 7 <removed>

!

control-plane

!

privilege  exec level 15 write terminal

privilege exec level 15 write

privilege  exec level 1 ping

privilege exec level 10 undebug ip icmp

privilege  exec level 10 undebug ip

privilege exec level 10 undebug all

privilege  exec level 10 undebug

privilege exec level 10 terminal monitor

privilege  exec level 10 terminal

privilege exec level 15 show  running-config

privilege exec level 5 show configuration

privilege  exec level 5 show

privilege exec level 10 debug ip icmp

privilege  exec level 10 debug ip

privilege exec level 10 debug all

privilege  exec level 10 debug

privilege exec level 10 clear interface

privilege  exec level 10 clear counters

privilege exec level 10 clear

!

line  con 0

password 7 <removed>

logging synchronous

line  33 64

no exec-banner

exec-timeout 0 0

no  activation-character

no exec

transport preferred telnet

transport input all

escape-character 27

stopbits 1

flowcontrol hardware

line aux 0

line vty 0 4

password 7 <removed>

logging synchronous

autocommand  menu ddras01

line vty 5 181

password 7  <removed>

logging synchronous

autocommand  menu  ddras01

!

ntp clock-period 17208487

ntp source  FastEthernet0/0

ntp server <removed>

end

I have this problem too.
0 votes
Correct Answer by jedubois about 6 years 9 months ago

It looks like you have the autocommand under vty 0 4 as well.

Do you know what line you are accessing when you are prompted for authentication.

--Jesse

Correct Answer by jedubois about 6 years 9 months ago

Hello,

     You have aaa login default set up for authentication, with this on you will get prompted

     when attempting to access the any line.

     Under line VTY 5 181 try adding:

     login authentication NOAUTH

     authorization exec NOAUTH

     add the aaa lines:

     aaa authentication login NOAUTH none

     aaa authorization exec NOAUTH none

     That should stop the authentication to the lines.

--Jesse

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
jedubois Fri, 02/26/2010 - 13:53

Hello,

     You have aaa login default set up for authentication, with this on you will get prompted

     when attempting to access the any line.

     Under line VTY 5 181 try adding:

     login authentication NOAUTH

     authorization exec NOAUTH

     add the aaa lines:

     aaa authentication login NOAUTH none

     aaa authorization exec NOAUTH none

     That should stop the authentication to the lines.

--Jesse

ddolbel Fri, 02/26/2010 - 14:11

Hi Jesse

I have made the changes you recommended however i'm still getting prompted to reauthenticate each time I choose a menu entry,

I have included a updated copy of the config, any help you can provide if greatly appreaciated.

Thanks

DDRAS01(config)#do sh runnin
Building configuration...

Current configuration : 7371 bytes
!
! Last configuration change at 17:55:22 AEST Sun Feb 21 2010 by david
! NVRAM config last updated at 11:07:30 AEST Sun Feb 21 2010 by david
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service linenumber
service sequence-numbers
!
hostname DDRAS01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
logging rate-limit all 10000
logging console critical
enable password 7
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login if_needed local
aaa authentication login NOAUTH none
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization exec NOAUTH none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
clock timezone AEST 10
clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 3:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip domain list
ip domain list
ip domain name
ip host dd-cr-01 2033 172.16.1.1
ip host ddsws01 2034 172.16.1.1
ip host ddsws04 2035 172.16.1.1
ip host ddce565 2040 172.16.1.1
ip name-server

ip name-server
!
!
!
username netops privilege 15 password 7
!
!
ip ssh source-interface FastEthernet0/0
ip ssh logging events
ip ssh version 2
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 255.255.255.0
speed 100
full-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0
!
ip http server
no ip http secure-server
ip tacacs source-interface FastEthernet0/0
!
ip radius source-interface FastEthernet0/0
logging facility local6
logging
snmp-server community RO
snmp-server community RW
snmp-server location
snmp-server contact
!
menu ddras01 title ^C

Cisco Terminal Server
Select the number from the list below
Use 'ctrl+shift+6' then 'x' to switch back to the menu

^C
menu ddras01 text 1 Connect to DD-CR-01
menu ddras01 command 1 resume dd-cr-01 /connect telnet dd-cr-01 2033
menu ddras01 text 2 Connect to DDSWS01
menu ddras01 command 2 resume ddsws01 /connect telnet ddsws01 2034
menu ddras01 text 3 Connect to DDSWS04
menu ddras01 command 3 resume ddsws04 /connect telnet ddsws04 2035
menu ddras01 text 8 Connect to DDCE565
menu ddras01 command 8 resume ddce565 /connect telnet ddce565 2040
menu ddras01 text a Clear connection to DD-CR-01
menu ddras01 command a clear line 33
menu ddras01 text b Clear connection to DDSWS01
menu ddras01 command b clear line 34
menu ddras01 text c Clear connection to DDSWS04
menu ddras01 command c clear line 35
menu ddras01 text h Clear connection to DDCE565
menu ddras01 command h clear line 40
menu ddras01 text x Exit Menu
menu ddras01 command x menu-exit
menu ddras01 text l Logout
menu ddras01 command l logout
menu ddras01 clear-screen
menu ddras01 status-line
tacacs-server host
tacacs-server directed-request
tacacs-server key 7
!
control-plane
!
privilege exec level 15 write terminal
privilege exec level 15 write
privilege exec level 1 ping
privilege exec level 10 undebug ip icmp
privilege exec level 10 undebug ip
privilege exec level 10 undebug all
privilege exec level 10 undebug
privilege exec level 10 terminal monitor
privilege exec level 10 terminal
privilege exec level 15 show running-config
privilege exec level 5 show configuration
privilege exec level 5 show
privilege exec level 10 debug ip icmp
privilege exec level 10 debug ip
privilege exec level 10 debug all
privilege exec level 10 debug
privilege exec level 10 clear interface
privilege exec level 10 clear counters
privilege exec level 10 clear
!
line con 0
password 7
logging synchronous
line 33 64
no exec-banner
exec-timeout 0 0
no activation-character
no exec
transport preferred telnet
transport input all
escape-character 27
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
password 7
logging synchronous
autocommand  menu ddras01
line vty 5 181
password 7
authorization exec NOAUTH
logging synchronous
login authentication NOAUTH
autocommand  menu ddras01
!
ntp clock-period 17208478
ntp source FastEthernet0/0
ntp server
!
end

Correct Answer
jedubois Fri, 02/26/2010 - 14:18

It looks like you have the autocommand under vty 0 4 as well.

Do you know what line you are accessing when you are prompted for authentication.

--Jesse

ddolbel Fri, 02/26/2010 - 14:56

ok I opened 2 sessions to the router

from the 2nd session I choose a menu option

now on the 1st session I ran sh users command

output below

DDRAS01#sh users
    Line       User       Host(s)              Idle       Location
  33 tty 33               incoming             00:00:19 dd-cr-01
  66 vty 0     david      dd-cr-01       00:00:19 netops54.workstations.
* 67 vty 1     david      idle                 00:00:00 netops54.workstations.

  Interface    User               Mode         Idle     Peer Address

I hope this helps.

ddolbel Fri, 02/26/2010 - 16:19

Never mind Jesse

I solved it

adding

aaa authentication login NOAUTH none

aaa authorization  exec NOAUTH none

and I need to add the

login authentication NOAUTH

authentization exe NOAUTH

to line 33 64

line 33 64
no exec-banner
exec-timeout 0 0
authorization exec NOAUTH
login authentication NOAUTH
no activation-character
no exec
transport preferred telnet
transport input all
escape-character 27
stopbits 1
flowcontrol hardware
line vty 0 4
password 7
logging synchronous
autocommand  menu ddras01
line vty 5 181
password 7
logging synchronous
autocommand  menu ddras01

jedubois Tue, 03/02/2010 - 06:32

Yes my apologies I listed the wrong lines in my post.

--Jesse

Actions

This Discussion