Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

aaa authentication banner

I have configured both aaa authentication banner and aaa fail-message on a router running 12.1(15) - authentication is via ACS 3.0.2 which works great.

Problem - The authentication banner doesn't display (nothing does apart from "Username:" - not even "user access verification") but the fail-message does if you enter a wrong password. If I console in and disconnect the interface then both messages display fine.

Workaround - If I configure a "banner login" then it all works fine too but I can't work out why the "aaa authentication banner" doesn't display.

I suspect ACS is stopping the message from being displayed but I can't work out how - can anyone suggest a solution?

many thanks!

As an aside what does the "tacacs-server administration" command do? It doesn't seem to be documented and it has no effect on or off.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: aaa authentication banner

The banner command doesn't work if you're doing TACACS authentication, it will work if you're doing Radius/local/etc. This is by design, cause with Tacacs you can have the server send the banner and prompts down (although with ACS I don't think you can do it), and so if you have TACACS authentication configured the router ignores the banner command and waits to see if it gets one from the TACACS server itself. If it doesn't it'll just display the usual prompts.

As for the "tacacs-server admin" command, I honestly have no idea, never seen anyone use it. The on-line help says "start tacacs daemon handling administrative messages", but what that really does I don't know, maybe someone else can help.

3 REPLIES
Cisco Employee

Re: aaa authentication banner

The banner command doesn't work if you're doing TACACS authentication, it will work if you're doing Radius/local/etc. This is by design, cause with Tacacs you can have the server send the banner and prompts down (although with ACS I don't think you can do it), and so if you have TACACS authentication configured the router ignores the banner command and waits to see if it gets one from the TACACS server itself. If it doesn't it'll just display the usual prompts.

As for the "tacacs-server admin" command, I honestly have no idea, never seen anyone use it. The on-line help says "start tacacs daemon handling administrative messages", but what that really does I don't know, maybe someone else can help.

New Member

Re: aaa authentication banner

Hmm..I think I remember using the "tacacs-server admin" command in Wholesale Dial environments for the Resource Management Protocol used between the RPMS server and the NAS for heartbeat and audit checks.

New Member

Re: aaa authentication banner

As I suspected - but I didn't realise it was by design - and I'm surprised that ACS can't handle the banners. But thanks for the quick response!

209
Views
0
Helpful
3
Replies
CreatePlease login to create content