Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

SSH Access to IOS devices with AAA

I currently have a TAC case open but it is taking ages for the TAC engineer to give me any feedback so I thought I would post here.

We have a scenario where we need to use a minimum of 12.2(2)T on some routers used as Terminal Servers. On these routers we only allow SSH access to the VTY lines (transport input SSH), we also have AAA enabled using Tacacs+ and a CiscoSecure ACS 3.0 Server (Windows 2000). If we try and login to the router using an SSH client with Authentication & Authorisation pointing to the ACS Server it fails until we enable in the group 'allow unspecified (or unknown?) services' on the ACS Server (this doesn't happen with Telnet). This is fine but if the ACS Server is unavailable we fall-back to Local User Authentication and it always fails due to Authorisation failure.

It looks like a new 'feature' has been introduced in 12.2(x)T as we don't see this on the Cat6K Native Switches running 12.1(13)Ex. We are currently running 12.2(8)T10.

Thanks

Andy

1 REPLY

Re: SSH Access to IOS devices with AAA

! The debugs below are from debug AAA authorisation for a Telnet connection

! and a SSH connection - Telnet sucessful, SSH not sucessful

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!Telnet login!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

TERMINAL-SERVER#

02:15:51: AAA/AUTHOR (0x28): Pick method list 'default' - PASS

02:15:51: AAA/AUTHOR/EXEC(00000028): processing AV cmd=

02:15:51: AAA/AUTHOR/EXEC(00000028): Authorization successful

TERMINAL-SERVER#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!SSH Login!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

TERMINAL-SERVER#

02:16:07: AAA: parse name=tty67 idb type=-1 tty=-1

02:16:07: AAA: name=tty67 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=67 channel=0

02:16:07: AAA/MEMORY: create_user (0x82CBC310) user='NULL' ruser='NULL' ds0=0 po

rt='tty67' rem_addr='10.1.1.10' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0'

02:16:09: AAA/AUTHOR (0x29): Pick method list 'default' - FAIL - FAIL

02:16:09: AAA/AUTHOR/EXEC(00000029): Authorization FAILED

02:16:11: AAA/MEMORY: free_user (0x82CBC310) user='admin' ruser='NULL' port='tty67' rem_addr='10.1.1.10'

authen_type=ASCII service=LOGIN priv=1

TERMINAL-SERVER#

Any takers???

Andy

262
Views
0
Helpful
1
Replies
CreatePlease login to create content