Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN concentrator Tacacs admin rights

I have just setup our VPN concentrator so that administrators can login and manage it using their domain accounts through our ACS server, versus the local username and password. However, it doesnt appear that if TACACS becomes unavailable, that it fails back to the local admin. Am I missing something?

  • Other Security Subjects
2 REPLIES
Cisco Employee

Re: VPN concentrator Tacacs admin rights

Hi,

No, you are not missing anything. My understanding is, that is the default behavior the VPN3000 when you configure TACACS for Admin Access. If the AAA server is unavailable, there is no fallback mechanism to local.

** Snip **

Caution Misconfiguration of TACACS+ can lock an administrator out of the Concentrator HTML interface. If that happens, you can access the Concentrator by logging in through the console port, using your administrator username and password.

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/administration/guide/access.html#wp1507954

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

Hall of Fame Super Silver

Re: VPN concentrator Tacacs admin rights

Matthew

I think that it is unfortunate that there is not in the concentrator software the kind of fall back that we are used to having with IOS based (or CatOS based) devices. It probably represents having been developed originally outside of Cisco.

While my customer uses TACACS to authenticate network administrators for almost all network devices for which it is supported, we decided to not use TACACS on the concentrator and the lack of fall back was one of the main factors in the decision.

HTH

Rick

299
Views
4
Helpful
2
Replies