10-02-2008 01:40 PM - edited 03-10-2019 04:07 PM
Hi
I have introduced the following configuration of AAA in the switches of series 2950 and works very well,
but when I do the same in switches 2960, the local password does not work and it is obligatory to introduce the switch in the ACS to have management of the switch.
Is needed some additional configuration of AAA in switches 2960?
Thanks.
tacacs-server host y.y.y.y
tacacs-server key xxxxx
aaa new-model
aaa authentication login acceso-consola group tacacs+ line
aaa authentication login acceso-telnet group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
line con 0
exec-timeout 0 0
login authentication acceso-consola
line vty 0 4
login authentication acceso-telnet
10-06-2008 12:23 PM
Hi,
You mentioned in a previous post that if you add it to the acs you can login fine.
I might have missed your answer in your previous post but can you:
1. login and see if you've setup a local username and password in the switch.(you'll need to add switch to ACS)
2. You get no prompt from console or telnet?
These 2 lines below note that if tacacs fails(and only if the switch cannot communicate with ACS) that it will default to using ONLY the password configured on CON 0 or VTY lines.
If you have a local username and password configured and you substituted LOCAL for LINE in your config then you would use that username and password IF the ACS failed.
*********************************************
aaa authentication login acceso-consola group tacacs+ line
aaa authentication login acceso-telnet group tacacs+ line
*********************************************
You might already know the stuff I mentioned but I need to address it just in case you aren't familiar with it.
Craig
10-06-2008 01:45 PM
Hi,
I know you mentioned that you used the same config on your 2950's and your 2960's but is it possible to post the config from the same 2950 that you just did the debug on?
Thanks,
Craig
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: