04-23-2012 07:37 AM
I'm trying to set up reverse console access in the lab;
AUX port on router R1 is connected to Console port on switch SW1.
On R1 I have the following configuration;
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization reverse-access default group tacacs+ local
aaa accounting exec default
action-type stop-only
group tacacs+
!
aaa accounting commands 0 default
action-type stop-only
group tacacs+
!
aaa accounting commands 1 default
action-type stop-only
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
aaa session-id common
!
line aux 0
modem InOut
transport preferred telnet
transport input all
transport output all
flowcontrol hardware
I can telnet to R1, and then telnet to its own loopback0 interface on port 2001, which connects me to SW1;
r1#telnet 1.2.3.4 2001
Trying 1.2.3.4, 2001 ... Open
User Access Verification
Username: me
Password:
% Authorization failed.
[Connection to 1.2.3.4 closed by foreign host]
r1#
No matter what configuration I try I always get this "% Authorization failed". I can telnet to SW1, just fine with the following configuration, what's missing to allow reverse access to work correcrtly?
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 0 default stop-only group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
!
line con 0
privilege level 15
line vty 0 4
session-timeout 5
access-class 50 in
logging synchronous
transport input all
transport output all
04-26-2012 11:58 PM
Does this help?
04-27-2012 03:55 AM
Hi Andrew,
Thanks for the input but unfortunately I'm still stumped! I can't see why it wouldn't work, a bit more fiddeling, latest configs are below but it seems like it should work to me. I dropped "aaa authorization reverse-access default group tacacs+ local" from R1, now instead of being able to log into SW1 and get the "% Authorization failed." error, I get nothing and it just hangs indefinatly never actually logging in or failing.
R1;
aaa new-model ! aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa accounting exec default action-type stop-only group tacacs+ ! aaa accounting commands 0 default action-type stop-only group tacacs+ ! aaa accounting commands 1 default action-type stop-only group tacacs+ ! aaa accounting commands 15 default action-type start-stop group tacacs+ ! aaa session-id common
!
line aux 0 transport preferred none transport input telnet transport output none
SW1;
aaa new-model ! aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization console aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa accounting exec default stop-only group tacacs+ aaa accounting commands 0 default stop-only group tacacs+ aaa accounting commands 1 default stop-only group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ ! aaa session-id common
!
line con 0 privilege level 15
04-28-2012 11:35 AM
I have two suggestions:
- on R1 add under line aux 0
no exec
- on SW1 remove
aaa authorization console
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: