Acs not working

Unanswered Question
Apr 12th, 2010

ihave added  router ip & hostname as aaa clients,
aaa configuration has been done on Device ,

the router is pingable from Acs server, but its not authenticating ,
local user is still active, what could be the issue.

the following configuration is given

aaa new-model
aaa group server tacacs+ NACS_Group1
aaa authentication login default group NACS_Group1 local
aaa authentication enable default none
aaa authorization config-commands
aaa authorization exec default group NACS_Group1 if-authenticated
aaa authorization exec NACS_Group1 group tacacs+ local
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 defaultgroup start-stop group tacacs+
aaa accounting commands 15 defaultgroup start-stop group tacacs+
aaa session-id common
====
tacacs-server host Primary IP timeout 5
tacacs-server host SEcondary IP  timeout 5
tacacs-server directed-request
tacacs-server key 7 104D000A061843595F

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Mon, 04/12/2010 - 05:29

ihave added  router ip & hostname as aaa clients,
aaa configuration has been done on Device ,

the router is pingable from Acs server, but its not authenticating ,
local user is still active, what could be the issue.

the following configuration is given

aaa new-model
aaa group server tacacs+ NACS_Group1
aaa authentication login default group NACS_Group1 local
aaa authentication enable default none
aaa authorization config-commands
aaa authorization exec default group NACS_Group1 if-authenticated
aaa authorization exec NACS_Group1 group tacacs+ local
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 defaultgroup start-stop group tacacs+
aaa accounting commands 15 defaultgroup start-stop group tacacs+
aaa session-id common
====
tacacs-server host Primary IP timeout 5
tacacs-server host SEcondary IP  timeout 5
tacacs-server directed-request
tacacs-server key 7 104D000A061843595F

Hi,

Are you getting any failed attempt messages on cisco ACS when ever you are trying to telnet or ssh on router and have you configured the following command on line vty also


line vty 0 4
login authentication groupname

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Actions

This Discussion