Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Disable AAA TACACS Authentication for ENABLE VIEW

Hi,

This is my first time at the forum!

I'm studyng for the CCNA Security cetification trying to implement the Role-base lab. I have sucessfully activated AAA authencation running ACS but I would like to disable TACACS Authentication for ENABLE VIEW Mode. I read the command "aaa authentication login default local" should enable the local authentication when TACACS group is NOT specified but still is tryng to authenticate with TACACS.

Attached a show run. Here the basic configuration:

Router#aaa new-model                    

Router# tacacs-server host 192.168.6.16single-connection      

Router#tacacs-server key cisco                                                                             

Router# aaa authentication login TACACS-AUTH group tacacs+ local

Router# aaa authentication login default local


Router# enable view

Router# conf t

Router# parser view SHOWMODE

Router#secret cisco

Router# commands exec include all show


Debugs:

ADSL-CubeCUCM#enable view

Password:

000032: Aug  1 16:57:14.454: AAA/AUTHEN/VIEW (00000004): Pick method list 'TACACS-AUTH'

% Authentication failed

ADSL-CubeCUCM#enable view SHOWMODE

Password:

000033: Aug  1 16:57:37.654: AAA/AUTHEN/VIEW (00000004): Pick method list 'TACACS-AUTH'

% Authentication failed

Regards

Please remember to rate useful posts clicking on the stars below.
Favor calificar todos las respuestas útiles dando click en las estrellas de mas abajo.
___________________________________________
LinkedIn Profile: do.linkedin.com/in/leosalcie       

Please remember to rate useful posts clicking on the stars below. Favor calificar todos las respuestas útiles dando click en las estrellas de mas abajo. ___________________________________________ LinkedIn Profile: do.linkedin.com/in/leosalcie
4 REPLIES

Disable AAA TACACS Authentication for ENABLE VIEW

Any help?

Please remember to rate useful posts clicking on the stars below.
Favor calificar todos las respuestas útiles dando click en las estrellas de mas abajo.
___________________________________________
LinkedIn Profile: do.linkedin.com/in/leosalcie

Please remember to rate useful posts clicking on the stars below. Favor calificar todos las respuestas útiles dando click en las estrellas de mas abajo. ___________________________________________ LinkedIn Profile: do.linkedin.com/in/leosalcie
Cisco Employee

Re: Disable AAA TACACS Authentication for ENABLE VIEW

The default group is tacacs+ and it's there.

TACACS-AUTH is called a method list and that is being called in line vty 0 4, that's the only reason it is still going to tacacs. If you want to point it towards local database, remove the command from line vty 0 4

aaa authentication login TACACS-AUTH group tacacs+ local

line con 0

password leoleo

line aux 0

line vty 0 4

password leoleo

no login authentication TACACS-AUTH

exit

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**

Disable AAA TACACS Authentication for ENABLE VIEW

Hi Jatin,

That command will disable the Line VTY authentication with ACS, I don't want that. I just want to disable the Enable View auhentication with ACS for local authentication.


Please remember to rate useful posts clicking on the stars below.
Favor calificar todos las respuestas útiles dando click en las estrellas de mas abajo.
___________________________________________
LinkedIn Profile: do.linkedin.com/in/leosalcie

Please remember to rate useful posts clicking on the stars below. Favor calificar todos las respuestas útiles dando click en las estrellas de mas abajo. ___________________________________________ LinkedIn Profile: do.linkedin.com/in/leosalcie
Cisco Employee

Disable AAA TACACS Authentication for ENABLE VIEW

yeah it seems you're enabling view from line vty (telnet/ssh) so this will surely hit the tacacs server as per your configuration.

let's try to enable view from console.

You may also go through this

https://supportforums.cisco.com/docs/DOC-15765

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
745
Views
0
Helpful
4
Replies