RE: Lock-and-key with tacacs+ authentication

From: Fabrice Bobes (study@6colabs.com)
Date: Tue Mar 11 2003 - 21:55:42 GMT-3

• Next message: Pratt, Jeremy: "RE: ACL Tips and Tricks"
• Previous message: Peng Zheng: "Lock-and-key with tacacs+ authentication"
• Maybe in reply to: Peng Zheng: "Lock-and-key with tacacs+ authentication"
• Next in thread: Peng Zheng: "RE: Lock-and-key with tacacs+ authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Peng,

1) Access-enable is an exec command so you need to authorize your user
to use it. In other words, you are missing:
aaa authorization exec default group tacacs+
or
aaa authorization exec TEST group tacacs+
line vty 0 4
authorization exec TEST

Don't forget to select shell (exec) for your user or group under TACACS.

2)Since you are using TACACS, you can remove
Line vty 0 4
autocommand access-enable

and fill the field auto-command with
access-enable host timeout 5
You can locate this field in your group or user profile on the TACACS
server (section Shell (exec)).

3) access-list 100 dynamic fredlist permit tcp host
192.168.1.2 any eq telnet:
Once you telnet from 192.168.1.2 to 192.168.1.6 and gets successfully
authenticated, you will be able to telnet to other devices.

You may want to check a previous post I made where I explain the
difference between access-enable and access-enable host.

I hope it makes sense,

Fabrice
http://www.6colabs.com

-----Original Message-----
From: Peng Zheng [mailto:zpnist@yahoo.com]
Sent: Tuesday, March 11, 2003 4:34 PM
To: Fabrice Bobes; ccielab@groupstudy.com
Subject: RE: Lock-and-key with tacacs+ authentication

Here is my config:

------------------

aaa new-model
aaa authentication login default group tacacs+
aaa authentication login TEST group tacacs+
aaa authentication enable default group tacacs+

...

interface Loopback0
 ip address 131.108.3.1 255.255.255.0
!
interface Ethernet0
 ip address 192.168.1.6 255.255.255.0
 ip access-group 100 in

 ....

access-list 100 permit tcp host 192.168.1.2 host
192.168.1.6 eq telnet
access-list 100 dynamic fredlist permit tcp host
192.168.1.2 any eq telnet

...

tacacs-server host 192.168.1.2
tacacs-server key cisco

......

line vty 0 4
 login authentication TEST
 autocommand access-enable

----------------------------

If there is no ip access-group 100 in under int e 0
, the authentication part is OK.

After I added it, when I tried to telnet 192.168.1.6,
even there is no prompt.

What's the problem?

--- Fabrice Bobes <study@6colabs.com> wrote:
> Peng,
>
> Yes, it's possible.
> Just post your config and I'll check what you are
> missing.
>
> Thanks,
>
> Fabrice
> http://www.6colabs.com
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Peng Zheng
> Sent: Tuesday, March 11, 2003 2:07 PM
> To: ccielab@groupstudy.com
> Subject: Lock-and-key with tacacs+ authentication
>
> Is it possible to use tacacs+ to authenticate
> lock-and-key? I tried but failed.
>
> Thanks for help.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Web Hosting - establish your business online
> http://webhosting.yahoo.com
>

• Next message: Pratt, Jeremy: "RE: ACL Tips and Tricks"
• Previous message: Peng Zheng: "Lock-and-key with tacacs+ authentication"
• Maybe in reply to: Peng Zheng: "Lock-and-key with tacacs+ authentication"
• Next in thread: Peng Zheng: "RE: Lock-and-key with tacacs+ authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:37 GMT-3