Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

SSH Access to IOS devices and AAA

I currently have a TAC case open but it is taking ages for the TAC engineer to give me any feedback so I thought I would post here.

We have a scenario where we need to use a minimum of 12.2(2)T on some routers used as Terminal Servers. On these routers we only allow SSH access to the VTY lines (transport input SSH), we also have AAA enabled using Tacacs+ and a CiscoSecure ACS 3.0 Server (Windows 2000). If we try and login to the router using an SSH client with Authentication & Authorisation pointing to the ACS Server it fails until we enable in the group 'allow unspecified (or unknown?) services' on the ACS Server (this doesn't happen with Telnet). This is fine but if the ACS Server is unavailable we fall-back to Local User Authentication and it always fails due to Authorisation failure.

It looks like a new 'feature' has been introduced in 12.2(x)T as we don't see this on the Cat6K Native Switches running 12.1(13)Ex. We are currently running 12.2(8)T10.




Re: SSH Access to IOS devices and AAA

! The debugs below are from debug AAA authorisation for a Telnet connection

! and a SSH connection - Telnet sucessful, SSH not sucessful


!!!!!!!!!Telnet login!!!!!!!!!!!!!!!!!!



02:15:51: AAA/AUTHOR (0x28): Pick method list 'default' - PASS

02:15:51: AAA/AUTHOR/EXEC(00000028): processing AV cmd=

02:15:51: AAA/AUTHOR/EXEC(00000028): Authorization successful



!!!!!!!!!SSH Login!!!!!!!!!!!!!!!!!!!!!



02:16:07: AAA: parse name=tty67 idb type=-1 tty=-1

02:16:07: AAA: name=tty67 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=67 channel=0

02:16:07: AAA/MEMORY: create_user (0x82CBC310) user='NULL' ruser='NULL' ds0=0 po

rt='tty67' rem_addr='' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0'

02:16:09: AAA/AUTHOR (0x29): Pick method list 'default' - FAIL - FAIL

02:16:09: AAA/AUTHOR/EXEC(00000029): Authorization FAILED

02:16:11: AAA/MEMORY: free_user (0x82CBC310) user='admin' ruser='NULL' port='tty67' rem_addr=''

authen_type=ASCII service=LOGIN priv=1


Any takers??


Community Member

Re: SSH Access to IOS devices and AAA

hi andy,

i've the same problem with a c4500 running 12.1 (19)EW1 on supIV. Tacacs authentication and authorization works fine with telnet but not with ssh, like you said. I don't know any option called "allow unspecified (or unknown?) services" but we are using ACS 2.6 - perhabs this option is not available in 2.6?

Btw: i have no problem with a local user authentiation via ssh...

Did you get any response from tac?



CreatePlease to create content