10-15-2007 01:08 PM - edited 03-10-2019 03:26 PM
Hi,
I am trying to get my switches/routers/etc to use aaa to restrict access to configuration of my network devices. I have the aaa authenticating to ACS v3.3 now, but for some reason my local user no longer works. I would like to have the option of a local login just in case my ACS becomes unavailable.
My config on a 2950 is...
version 12.1
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
aaa new-model
aaa authentication login GPRC-Access group tacacs+ local enable none
aaa authorization exec GPRC-Access group tacacs+ local
aaa authorization network GPRC-Access group tacacs+ local
aaa accounting exec GPRC-Access start-stop group tacacs+
aaa accounting network GPRC-Access start-stop group tacacs+
enable secret xxx
enable password xxx
!
username admin privilege 15 secret xxx
tacacs-server host 172.20.2.25 key xxx
tacacs-server key xxx
tacacs-server administration
line vty 0 4
exec-timeout 15 0
password xxx
authorization exec GPRC-Access
accounting exec GPRC-Access
logging synchronous
login authentication GPRC-Access
length 48
line vty 5 15
password xxx
!
Solved! Go to Solution.
10-15-2007 01:14 PM
The only time the local user will work is when your TACACs server is unavailable. You can test by putting in the wrong TACACs key and establishing a new seeiosn. Make sure you keep the original session open just in case :-)
HTH and please rate.
10-15-2007 01:14 PM
The only time the local user will work is when your TACACs server is unavailable. You can test by putting in the wrong TACACs key and establishing a new seeiosn. Make sure you keep the original session open just in case :-)
HTH and please rate.
10-15-2007 01:19 PM
Thanks, I changed the key and tested it. You were correct. :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: