Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AAA for Cisco MDS Switches

I have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.

Could anyone help me in this regard.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Bronze

Re: AAA for Cisco MDS Switches

One really annoying thing is there is a slight change from sanos 1,2 and sanos 3.

console access via a local account had two diff aaa configs (ignore the radius part).

Sanos 1 & 2:

aaa authentication login default group radius local

aaa accounting default group radius local

sanos 3:

aaa authentication login default group radius local

aaa authentication login console local

aaa accounting default group radius

Only slight changes and sanos 3 is the "real" way of doing it. It could catch people out during an upgrade if they are unaware!

Cherers

Andrew

Re: AAA for Cisco MDS Switches

Happy to help.

Please feel free to rate posts that helped you out ;)

6 REPLIES

Re: AAA for Cisco MDS Switches

You have two options.

1. Configure an "admin" user in AD. (note that you don't have to use the account named admin, you can just as easily assign a local user with the network-admin role).One thing to note, is that you normally use this local account in case the tacacs+ or radius authentication server goes down.

You can have users configured locally and AD at the same time. If you are running AAA the default config is to check your AAA servers first, if they are not available, then to default to a local account

2. Configure your local network-admin role user and then specify that say console access is authenticated locally, while ssh and telnet is authenticated through tacacs. This will allow you to always get in with a local account through the console, while it will force SSH and Telnet connections to authenticate through the AAA servers.

You can find this option in Device Manager > Security > AAA > Applications

If you found this helpful, please give it a rating.

New Member

Re: AAA for Cisco MDS Switches

Option 1:-

I have already configured AD user with netwok-admin role who are able to login after successfull authentication by TACACS. It is ben configured to check TACACS first and then local.

I just want to be able to login as default "admin" user via telnet. I am able to login as "admin" via FM/DM

Option 2:-

I need to have telnet/ssh access uaing locally residing and default user "admin". I am able to login as other locally created users with "network-admin" role. Since the switches are located 1000's of miles

away, I need telnet access for admin in case tacacs server goes down.

I am stilll confused why the default "admin" user is not woking via telnet but everything else whether local/tacacs user.

--Mohan

Re: AAA for Cisco MDS Switches

Your configuration says that only console access is configured to check local. The first method is only configured to use the Tacacs+ group. If you add a local statement to end of the first line, it will allow you to get in ONLY if the tacacs+ server is down.

Try to keep in mind that AAA groups are processed in the same config line. If you don't have a valid auth method by the end of the line, you are out of luck.

Well, the thing about the AAA order is that you only go and check the next resource in the event your primary resource is unavailable.

It is likely since you do not have the "admin" account in your AD that the TACACS+ server is returning a message to deny access.

When the MDS observes the message to deny access to a user, then that is that. It will not go further down the list to say its local database.

--Colin

Bronze

Re: AAA for Cisco MDS Switches

One really annoying thing is there is a slight change from sanos 1,2 and sanos 3.

console access via a local account had two diff aaa configs (ignore the radius part).

Sanos 1 & 2:

aaa authentication login default group radius local

aaa accounting default group radius local

sanos 3:

aaa authentication login default group radius local

aaa authentication login console local

aaa accounting default group radius

Only slight changes and sanos 3 is the "real" way of doing it. It could catch people out during an upgrade if they are unaware!

Cherers

Andrew

New Member

Re: AAA for Cisco MDS Switches

Thanks guys ...it worked after adding "local" at the end of the line.

Kudos to you guys....

Mohan

Re: AAA for Cisco MDS Switches

Happy to help.

Please feel free to rate posts that helped you out ;)

430
Views
0
Helpful
6
Replies
CreatePlease to create content