×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

TACACS+ and ACS 2.6/NT -- stupid questions I think ;-)

Unanswered Question

Hi folks:


I know this is going to sound dumb, but I have some questions related to my first-ever TACACS+ install. I have tons of R/S experience in almost everything...except AAA. (grin)


Questions:


1) How can I disconnect a user after their usage quota expires? I have ACS set up to track usage and restrict to an absolute time. It tracks total number of accesses to the NAS but never seems to keep the time.


2) Can I authorize certain commands to be available in user mode that would normally only be accessible via enable mode? Or do I have to specifically allow enable mode and then permit/deny CLI commands?


3) When users authenticate to the NAS and then jump off to other devices via reverse telnet, they are challenged for the same TACACS username/pw again. Why?


Thanks all, I really appreciate it. It's driving me nuts and CCO is quite confusing on the subject of AAA to me.


Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ciscomoderator Tue, 12/18/2001 - 13:32
User Badges:
  • Gold, 750 points or more

Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.


To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen


If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.


iswift Thu, 01/24/2002 - 02:04
User Badges:

I'll try to answer your questions to the best of my ability.

1) I don't believe there's a way to limit access via quota. As you say you can track start/stop records to give usage per user or group but that could be used for billing purposes as opposed to access restriction.

2)Enable mode commands will only be allowed once a user is in enable mode, regardelss of whether they have gone through TACACS+ or not. As you rightly say, you will have to allow enable mode and then permit/deny IOS commands. What you may be thinking of is that if you allow a user access level 15, say, this will 'catapult' them straight to enable mode so they do not have to enter the ENABLE command from what appears to be their 'user' mode when they login.

3)Authentication via TACACS+ will be on a per-device basis, whether you are going in via console, vty line or async access, for example. The AAA model is present in each device you reverse telnet to, or think about this way, if you had TACACS+ auentication on some devices and local user/passwd on others, you must authenticate to each devie separately with the specified login methods. (It just happens all your kit is set up for AAA)


Ian

Actions

This Discussion