Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
333
Views
0
Helpful
3
Replies

TACACS+ and ACS 2.6/NT -- stupid questions I think ;-)

scott.decker
Level 1
Level 1

‎12-12-2001 07:32 PM - edited ‎03-01-2019 07:43 PM

Hi folks:

I know this is going to sound dumb, but I have some questions related to my first-ever TACACS+ install. I have tons of R/S experience in almost everything...except AAA. (grin)

Questions:

1) How can I disconnect a user after their usage quota expires? I have ACS set up to track usage and restrict to an absolute time. It tracks total number of accesses to the NAS but never seems to keep the time.

2) Can I authorize certain commands to be available in user mode that would normally only be accessible via enable mode? Or do I have to specifically allow enable mode and then permit/deny CLI commands?

3) When users authenticate to the NAS and then jump off to other devices via reverse telnet, they are challenged for the same TACACS username/pw again. Why?

Thanks all, I really appreciate it. It's driving me nuts and CCO is quite confusing on the subject of AAA to me.

Scott

Labels:
0 Helpful
3 Replies 3

ciscomoderator
Community Manager
Community Manager

‎12-18-2001 01:32 PM

Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

0 Helpful

scott.decker
Level 1
Level 1
In response to ciscomoderator

‎12-19-2001 04:44 AM

Thanks, I didn't want to open a TAC case for a 'simple' configuration issue, but I suppose there's no alternative at this point. I can't wait too much longer to implement.

Thanks again!

Scott

0 Helpful

iswift
Level 1
Level 1

‎01-24-2002 02:04 AM

I'll try to answer your questions to the best of my ability.

1) I don't believe there's a way to limit access via quota. As you say you can track start/stop records to give usage per user or group but that could be used for billing purposes as opposed to access restriction.

2)Enable mode commands will only be allowed once a user is in enable mode, regardelss of whether they have gone through TACACS+ or not. As you rightly say, you will have to allow enable mode and then permit/deny IOS commands. What you may be thinking of is that if you allow a user access level 15, say, this will 'catapult' them straight to enable mode so they do not have to enter the ENABLE command from what appears to be their 'user' mode when they login.

3)Authentication via TACACS+ will be on a per-device basis, whether you are going in via console, vty line or async access, for example. The AAA model is present in each device you reverse telnet to, or think about this way, if you had TACACS+ auentication on some devices and local user/passwd on others, you must authenticate to each devie separately with the specified login methods. (It just happens all your kit is set up for AAA)

Ian

0 Helpful
Customers Also Viewed These Support Documents