Is that possible to have Network Admins authenticate via tacacs for username and password and log all the transaction, but have a free flow for terminal server access? In other word, tacacs for Network admin but no tacacs for end user terminal server access. IF possible, is there any sample config that i can refer ?
This is not as difficult as it may seem. Under aaa configurtion, you specifiy for which connections you want to use a certain login-method.
It is not usual to make the TS-connection autjhenticate locally, but it can still be done. You will have to enter a username/passwd for any user on all servers to make this information locally available.
Below I have listed a setup as I use it myself and I have put some comment after the lines (following >) This is something that you can check in the aaa commands for yourself. Here we go:
define your user database:
user test1 passwd cisco
aaa authentication login default tacacs+ > describe the default method to authenticate, in your case this will be 'local', I presume.
aaa authentication login no_tacacs enable > used for console access, see below. The enable passwd is the passwd required for this method.
aaa authentication ppp default tacacs+ > the default for ppp sessions, can be omitted (as the default states local) or changed to local.
aaa authorization exec default tacacs+ > to get on the prompt, tacacs must be used. You will need this line.
aaa authorization network default tacacs+ > Applies to network connections
aaa accounting suppress null-username
aaa accounting update newinfo
aaa accounting exec default start-stop tacacs+ > Used to log connections
aaa accounting network default start-stop tacacs+ > similar
aaa accounting connection default start-stop tacacs+ > similar
in the config you need to define the tacacs server:
tacacs-server host 10.11.19.4
tacacs-server key -enter-your-key-here-
on the console line, create a backdoor:
line con 0
login authentication no_tacacs
This is not a tutorial, I did dis mainly by head.
I could set it up this way but dont nail on the exact syntax.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...