Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tacacs Enable on Cisco Terminal Server

Is that possible to have Network Admins authenticate via tacacs for username and password and log all the transaction, but have a free flow for terminal server access? In other word, tacacs for Network admin but no tacacs for end user terminal server access. IF possible, is there any sample config that i can refer ?




Re: Tacacs Enable on Cisco Terminal Server

Dear Ganesh,

This is not as difficult as it may seem. Under aaa configurtion, you specifiy for which connections you want to use a certain login-method.

It is not usual to make the TS-connection autjhenticate locally, but it can still be done. You will have to enter a username/passwd for any user on all servers to make this information locally available.

Below I have listed a setup as I use it myself and I have put some comment after the lines (following >) This is something that you can check in the aaa commands for yourself. Here we go:

define your user database:

user test1 passwd cisco


aaa new-model

aaa authentication login default tacacs+ > describe the default method to authenticate, in your case this will be 'local', I presume.

aaa authentication login no_tacacs enable > used for console access, see below. The enable passwd is the passwd required for this method.

aaa authentication ppp default tacacs+ > the default for ppp sessions, can be omitted (as the default states local) or changed to local.

aaa authorization exec default tacacs+ > to get on the prompt, tacacs must be used. You will need this line.

aaa authorization network default tacacs+ > Applies to network connections

aaa accounting suppress null-username

aaa accounting update newinfo

aaa accounting exec default start-stop tacacs+ > Used to log connections

aaa accounting network default start-stop tacacs+ > similar

aaa accounting connection default start-stop tacacs+ > similar

in the config you need to define the tacacs server:

tacacs-server host

tacacs-server key -enter-your-key-here-

on the console line, create a backdoor:

line con 0

login authentication no_tacacs

This is not a tutorial, I did dis mainly by head.

I could set it up this way but dont nail on the exact syntax.

Hopefully, you have enough info now to get going.

CreatePlease to create content