I have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.
1. Configure an "admin" user in AD. (note that you don't have to use the account named admin, you can just as easily assign a local user with the network-admin role).One thing to note, is that you normally use this local account in case the tacacs+ or radius authentication server goes down.
You can have users configured locally and AD at the same time. If you are running AAA the default config is to check your AAA servers first, if they are not available, then to default to a local account
2. Configure your local network-admin role user and then specify that say console access is authenticated locally, while ssh and telnet is authenticated through tacacs. This will allow you to always get in with a local account through the console, while it will force SSH and Telnet connections to authenticate through the AAA servers.
You can find this option in Device Manager > Security > AAA > Applications
If you found this helpful, please give it a rating.
I have already configured AD user with netwok-admin role who are able to login after successfull authentication by TACACS. It is ben configured to check TACACS first and then local.
I just want to be able to login as default "admin" user via telnet. I am able to login as "admin" via FM/DM
I need to have telnet/ssh access uaing locally residing and default user "admin". I am able to login as other locally created users with "network-admin" role. Since the switches are located 1000's of miles
away, I need telnet access for admin in case tacacs server goes down.
I am stilll confused why the default "admin" user is not woking via telnet but everything else whether local/tacacs user.
Your configuration says that only console access is configured to check local. The first method is only configured to use the Tacacs+ group. If you add a local statement to end of the first line, it will allow you to get in ONLY if the tacacs+ server is down.
Try to keep in mind that AAA groups are processed in the same config line. If you don't have a valid auth method by the end of the line, you are out of luck.
Well, the thing about the AAA order is that you only go and check the next resource in the event your primary resource is unavailable.
It is likely since you do not have the "admin" account in your AD that the TACACS+ server is returning a message to deny access.
When the MDS observes the message to deny access to a user, then that is that. It will not go further down the list to say its local database.
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...