02-25-2010 07:32 PM - edited 03-10-2019 04:58 PM
Hi,
I've managed to setup ACS Authentication on my 2611xm router,
after you login to the router I have a autocommand setup to run a menu.
My problem is when you select the option on the menu,
You are then re prompted to reauthenicated against the router again before connecting to the line,
can any one tell me how to stop this from happening.
Thanks for your time and effort in advance, I have enclosed a config below.
DDRAS01#sh running-config
Building configuration...
Current configuration : 6854 bytes
!
! Last configuration change at 10:28:49 AEST Sun Feb 21 2010 by <removed>
! NVRAM config last updated at 19:25:53 AEST Sat Feb 20 2010 by <removed>
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service linenumber
service sequence-numbers
!
hostname DDRAS01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
logging rate-limit all 10000
logging console critical
enable password 7 <removed>
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login if_needed local
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
clock timezone AEST 10
clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 3:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip domain list <removed>
ip domain list <removed>
ip domain name <removed>
ip host dd-cr-01e 2033 172.16.1.1
ip host ddsws01 2034 172.16.1.1
ip host ddsws04 2035 172.16.1.1
ip host ddce565 2040 172.16.1.1
ip name-server <removed>
ip name-server <removed>
!
!
!
username netops privilege 15 password 7 <removed>
!
!
ip ssh source-interface FastEthernet0/0
ip ssh logging events
ip ssh version 2
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address <removed> 255.255.255.0
speed 100
full-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <removed>
!
ip http server
no ip http secure-server
ip tacacs source-interface FastEthernet0/0
!
ip radius source-interface FastEthernet0/0
logging facility local6
logging <removed>
snmp-server community <removed> RO
snmp-server community <removed> RW
snmp-server location <removed>
snmp-server contact NetOps
!
menu ddras01 title ^C
Cisco Terminal Server
Select the number from the list below
Use 'ctrl+shift+6' then 'x' to switch back to the menu
^C
menu ddras01 text 1 Connect to DD-CR-01
menu ddras01 command 1 resume dd-cr-01 /connect telnet dd-cr-01 2033
menu ddras01 text 2 Connect to DDSWS01
menu ddras01 command 2 resume ddsws01 /connect telnet ddsws01 2034
menu ddras01 text 3 Connect to DDSWS04
menu ddras01 command 3 resume ddsws04 /connect telnet ddsws04 2035
menu ddras01 text 8 Connect to DDCE565
menu ddras01 command 8 resume ddce565 /connect telnet ddce565 2040
menu ddras01 text 9 Exit
menu ddras01 command 9 menu-exit
menu ddras01 clear-screen
menu ddras01 status-line
menu ddras01 line-mode
tacacs-server host 10.2.0.50
tacacs-server directed-request
tacacs-server key 7 <removed>
!
control-plane
!
privilege exec level 15 write terminal
privilege exec level 15 write
privilege exec level 1 ping
privilege exec level 10 undebug ip icmp
privilege exec level 10 undebug ip
privilege exec level 10 undebug all
privilege exec level 10 undebug
privilege exec level 10 terminal monitor
privilege exec level 10 terminal
privilege exec level 15 show running-config
privilege exec level 5 show configuration
privilege exec level 5 show
privilege exec level 10 debug ip icmp
privilege exec level 10 debug ip
privilege exec level 10 debug all
privilege exec level 10 debug
privilege exec level 10 clear interface
privilege exec level 10 clear counters
privilege exec level 10 clear
!
line con 0
password 7 <removed>
logging synchronous
line 33 64
no exec-banner
exec-timeout 0 0
no activation-character
no exec
transport preferred telnet
transport input all
escape-character 27
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
password 7 <removed>
logging synchronous
autocommand menu ddras01
line vty 5 181
password 7 <removed>
logging synchronous
autocommand menu ddras01
!
ntp clock-period 17208487
ntp source FastEthernet0/0
ntp server <removed>
end
Solved! Go to Solution.
02-26-2010 01:53 PM
Hello,
You have aaa login default set up for authentication, with this on you will get prompted
when attempting to access the any line.
Under line VTY 5 181 try adding:
login authentication NOAUTH
authorization exec NOAUTH
add the aaa lines:
aaa authentication login NOAUTH none
aaa authorization exec NOAUTH none
That should stop the authentication to the lines.
--Jesse
02-26-2010 02:18 PM
It looks like you have the autocommand under vty 0 4 as well.
Do you know what line you are accessing when you are prompted for authentication.
--Jesse
02-26-2010 01:53 PM
Hello,
You have aaa login default set up for authentication, with this on you will get prompted
when attempting to access the any line.
Under line VTY 5 181 try adding:
login authentication NOAUTH
authorization exec NOAUTH
add the aaa lines:
aaa authentication login NOAUTH none
aaa authorization exec NOAUTH none
That should stop the authentication to the lines.
--Jesse
02-26-2010 02:11 PM
Hi Jesse
I have made the changes you recommended however i'm still getting prompted to reauthenticate each time I choose a menu entry,
I have included a updated copy of the config, any help you can provide if greatly appreaciated.
Thanks
DDRAS01(config)#do sh runnin
Building configuration...
Current configuration : 7371 bytes
!
! Last configuration change at 17:55:22 AEST Sun Feb 21 2010 by david
! NVRAM config last updated at 11:07:30 AEST Sun Feb 21 2010 by david
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service linenumber
service sequence-numbers
!
hostname DDRAS01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
logging rate-limit all 10000
logging console critical
enable password 7
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login if_needed local
aaa authentication login NOAUTH none
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization exec NOAUTH none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
clock timezone AEST 10
clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 3:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip domain list
ip domain list
ip domain name
ip host dd-cr-01 2033 172.16.1.1
ip host ddsws01 2034 172.16.1.1
ip host ddsws04 2035 172.16.1.1
ip host ddce565 2040 172.16.1.1
ip name-server
ip name-server
!
!
!
username netops privilege 15 password 7
!
!
ip ssh source-interface FastEthernet0/0
ip ssh logging events
ip ssh version 2
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address
speed 100
full-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0
!
ip http server
no ip http secure-server
ip tacacs source-interface FastEthernet0/0
!
ip radius source-interface FastEthernet0/0
logging facility local6
logging
snmp-server community
snmp-server community
snmp-server location
snmp-server contact
!
menu ddras01 title ^C
Cisco Terminal Server
Select the number from the list below
Use 'ctrl+shift+6' then 'x' to switch back to the menu
^C
menu ddras01 text 1 Connect to DD-CR-01
menu ddras01 command 1 resume dd-cr-01 /connect telnet dd-cr-01 2033
menu ddras01 text 2 Connect to DDSWS01
menu ddras01 command 2 resume ddsws01 /connect telnet ddsws01 2034
menu ddras01 text 3 Connect to DDSWS04
menu ddras01 command 3 resume ddsws04 /connect telnet ddsws04 2035
menu ddras01 text 8 Connect to DDCE565
menu ddras01 command 8 resume ddce565 /connect telnet ddce565 2040
menu ddras01 text a Clear connection to DD-CR-01
menu ddras01 command a clear line 33
menu ddras01 text b Clear connection to DDSWS01
menu ddras01 command b clear line 34
menu ddras01 text c Clear connection to DDSWS04
menu ddras01 command c clear line 35
menu ddras01 text h Clear connection to DDCE565
menu ddras01 command h clear line 40
menu ddras01 text x Exit Menu
menu ddras01 command x menu-exit
menu ddras01 text l Logout
menu ddras01 command l logout
menu ddras01 clear-screen
menu ddras01 status-line
tacacs-server host
tacacs-server directed-request
tacacs-server key 7
!
control-plane
!
privilege exec level 15 write terminal
privilege exec level 15 write
privilege exec level 1 ping
privilege exec level 10 undebug ip icmp
privilege exec level 10 undebug ip
privilege exec level 10 undebug all
privilege exec level 10 undebug
privilege exec level 10 terminal monitor
privilege exec level 10 terminal
privilege exec level 15 show running-config
privilege exec level 5 show configuration
privilege exec level 5 show
privilege exec level 10 debug ip icmp
privilege exec level 10 debug ip
privilege exec level 10 debug all
privilege exec level 10 debug
privilege exec level 10 clear interface
privilege exec level 10 clear counters
privilege exec level 10 clear
!
line con 0
password 7
logging synchronous
line 33 64
no exec-banner
exec-timeout 0 0
no activation-character
no exec
transport preferred telnet
transport input all
escape-character 27
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
password 7
logging synchronous
autocommand menu ddras01
line vty 5 181
password 7
authorization exec NOAUTH
logging synchronous
login authentication NOAUTH
autocommand menu ddras01
!
ntp clock-period 17208478
ntp source FastEthernet0/0
ntp server
!
end
02-26-2010 02:18 PM
It looks like you have the autocommand under vty 0 4 as well.
Do you know what line you are accessing when you are prompted for authentication.
--Jesse
02-26-2010 02:56 PM
ok I opened 2 sessions to the router
from the 2nd session I choose a menu option
now on the 1st session I ran sh users command
output below
DDRAS01#sh users
Line User Host(s) Idle Location
33 tty 33 incoming 00:00:19 dd-cr-01
66 vty 0 david dd-cr-01 00:00:19 netops54.workstations.
* 67 vty 1 david idle 00:00:00 netops54.workstations.
Interface User Mode Idle Peer Address
I hope this helps.
02-26-2010 04:19 PM
Never mind Jesse
I solved it
adding
aaa authentication login NOAUTH none
aaa authorization exec NOAUTH none
and I need to add the
login authentication NOAUTH
authentization exe NOAUTH
to line 33 64
line 33 64
no exec-banner
exec-timeout 0 0
authorization exec NOAUTH
login authentication NOAUTH
no activation-character
no exec
transport preferred telnet
transport input all
escape-character 27
stopbits 1
flowcontrol hardware
line vty 0 4
password 7
logging synchronous
autocommand menu ddras01
line vty 5 181
password 7
logging synchronous
autocommand menu ddras01
03-02-2010 06:32 AM
Yes my apologies I listed the wrong lines in my post.
--Jesse
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: