RE: Lock-and-key with tacacs+ authentication

From: Brian Dennis (brian@5g.net)
Date: Tue Mar 11 2003 - 22:23:23 GMT-3

• Next message: David Buechner: "Re: 3550 - native vlan and untagged packets"
• Previous message: Joe Chang: "Re: DLSw dynamic peer timeout"
• Maybe in reply to: Peng Zheng: "Lock-and-key with tacacs+ authentication"
• Next in thread: Brian Dennis: "RE: Lock-and-key with tacacs+ authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You are not allowing TACACS+ through your ACL. The AAA server can't
reply to the authentication request sent by the router. Add an entry to
the ACL that allows the AAA server to reply.

Also as a side note your router is not setup for a secondary
authentication method. As a general rule you should at least have a
secondary authentication method (i.e. local) in case the primary is
unavailable.

Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) CCSI# 98640
brian@labforge.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Peng Zheng
Sent: Tuesday, March 11, 2003 4:34 PM
To: Fabrice Bobes; ccielab@groupstudy.com
Subject: RE: Lock-and-key with tacacs+ authentication

Here is my config:

------------------

aaa new-model
aaa authentication login default group tacacs+
aaa authentication login TEST group tacacs+
aaa authentication enable default group tacacs+

...

interface Loopback0
 ip address 131.108.3.1 255.255.255.0
!
interface Ethernet0
 ip address 192.168.1.6 255.255.255.0
 ip access-group 100 in

 ....

access-list 100 permit tcp host 192.168.1.2 host
192.168.1.6 eq telnet
access-list 100 dynamic fredlist permit tcp host
192.168.1.2 any eq telnet

...

tacacs-server host 192.168.1.2
tacacs-server key cisco

......

line vty 0 4
 login authentication TEST
 autocommand access-enable

----------------------------

If there is no ip access-group 100 in under int e 0
, the authentication part is OK.

After I added it, when I tried to telnet 192.168.1.6,
even there is no prompt.

What's the problem?

--- Fabrice Bobes <study@6colabs.com> wrote:
> Peng,
>
> Yes, it's possible.
> Just post your config and I'll check what you are
> missing.
>
> Thanks,
>
> Fabrice
> http://www.6colabs.com
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Peng Zheng
> Sent: Tuesday, March 11, 2003 2:07 PM
> To: ccielab@groupstudy.com
> Subject: Lock-and-key with tacacs+ authentication
>
> Is it possible to use tacacs+ to authenticate
> lock-and-key? I tried but failed.
>
> Thanks for help.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Web Hosting - establish your business online
> http://webhosting.yahoo.com
>

• Next message: David Buechner: "Re: 3550 - native vlan and untagged packets"
• Previous message: Joe Chang: "Re: DLSw dynamic peer timeout"
• Maybe in reply to: Peng Zheng: "Lock-and-key with tacacs+ authentication"
• Next in thread: Brian Dennis: "RE: Lock-and-key with tacacs+ authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:37 GMT-3