Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AAA Woes?

I'm having a problem with AAA. Users in the TACACS and local db are the only users who can authenticate to the 3640 itself (ie - vty access). I don't want dial-in users to be valid users of the vty. So here is what we had and did -and the ramifications of each.

aaa new-model

aaa authentication login default local

aaa authentication ppp default local group tacacs+

aaa authorization exec default if-authenticated

aaa authorization network default local group tacacs+

aaa accounting network default start-stop group tacacs+

aaa processes 10

PROBLEM: USER ACCESS TO VTY ON 3640 SAME AS USER DB IN LOCAL. USER DB IN LOCAL IS USED AS SECONDARY REMOTE ACCESS DB IN CASE OF TACACS FAILURE. I WOULD LIKE THE VTY TO BE DEFINED BY THE VTY PASSWORD - AND NOT HAVE USERS DEFINED IN THE LOCAL ACCESS DB WITH THE ABILITY TO SIGN ON INTO EXEC MODE. SO THE FOLLOWING CHANGE WAS MADE:

aaa new-model

aaa authentication login default line <--------

aaa authentication ppp default local group tacacs+

aaa authorization exec default if-authenticated

aaa authorization network default local group tacacs+

aaa accounting network default start-stop group tacacs+

aaa processes 10

PROBLEM: REMOTE USERS COULD NOT SIGN IN. I ASSUMED THEY WOULD REFERNENCE THE PPP PORTION OF AAA - MUST HAVE BEEN WRONG.

Does anybody know what I am doing wrong? Does the command 'aaa authorization exec default if-authenticated' have anything to do with this? If I put a 'no' in front of that - will I have any access to EXEC mode?

Thank you for your help.

  • Other Network Infrastructure Subjects
2 REPLIES

Re: AAA Woes?

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

New Member

Re: AAA Woes?

Solved Problem - Disregard.

Thanks.

81
Views
0
Helpful
2
Replies
This widget could not be displayed.