I currently have a TAC case open but it is taking ages for the TAC engineer to give me any feedback so I thought I would post here.
We have a scenario where we need to use a minimum of 12.2(2)T on some routers used as Terminal Servers. On these routers we only allow SSH access to the VTY lines (transport input SSH), we also have AAA enabled using Tacacs+ and a CiscoSecure ACS 3.0 Server (Windows 2000). If we try and login to the router using an SSH client with Authentication & Authorisation pointing to the ACS Server it fails until we enable in the group 'allow unspecified (or unknown?) services' on the ACS Server (this doesn't happen with Telnet). This is fine but if the ACS Server is unavailable we fall-back to Local User Authentication and it always fails due to Authorisation failure.
It looks like a new 'feature' has been introduced in 12.2(x)T as we don't see this on the Cat6K Native Switches running 12.1(13)Ex. We are currently running 12.2(8)T10.
i've the same problem with a c4500 running 12.1 (19)EW1 on supIV. Tacacs authentication and authorization works fine with telnet but not with ssh, like you said. I don't know any option called "allow unspecified (or unknown?) services" but we are using ACS 2.6 - perhabs this option is not available in 2.6?
Btw: i have no problem with a local user authentiation via ssh...
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...