From: Fabrice Bobes (study@6colabs.com)
Date: Wed Mar 12 2003 - 00:01:36 GMT-3
OK, I stand corrected and I'll try to give a better explanation :-)
1) Lock-and-key with tacacs+ authentication
Like Brian said, your access-list is not complete.
It should be something like:
access-list 100 permit tcp host 192.168.1.2 host
192.168.1.6 eq telnet
access-list 100 permit tcp host 192.168.1.2 eq 49 host
192.168.1.6
access-list 100 dynamic fredlist permit tcp host
192.168.1.2 any eq telnet
2) Lock-and-key with tacacs+ authentication and authorization
Since you are using TACACS, you can remove
Line vty 0 4
autocommand access-enable
and put this information on the TACACS server
autocommand = access-enable
under the section Shell (exec)).
In this situation, you use TACACS to let your user start an exec shell
command.
You need to enable shell (exec) for your Tacacs user and add:
authorization exec default group tacacs+
or
aaa authorization exec TEST group tacacs+
line vty 0 4
authorization exec TEST
3) And yes, you should specify a backup authentication method if Tacacs
fails
Thanks,
Fabrice
http://www.6colabs.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian Dennis
Sent: Tuesday, March 11, 2003 5:23 PM
To: 'Peng Zheng'; ccielab@groupstudy.com
Subject: RE: Lock-and-key with tacacs+ authentication
You are not allowing TACACS+ through your ACL. The AAA server can't
reply to the authentication request sent by the router. Add an entry to
the ACL that allows the AAA server to reply.
Also as a side note your router is not setup for a secondary
authentication method. As a general rule you should at least have a
secondary authentication method (i.e. local) in case the primary is
unavailable.
Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) CCSI# 98640
brian@labforge.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Peng Zheng
Sent: Tuesday, March 11, 2003 4:34 PM
To: Fabrice Bobes; ccielab@groupstudy.com
Subject: RE: Lock-and-key with tacacs+ authentication
Here is my config:
------------------
aaa new-model
aaa authentication login default group tacacs+
aaa authentication login TEST group tacacs+
aaa authentication enable default group tacacs+
...
interface Loopback0
ip address 131.108.3.1 255.255.255.0
!
interface Ethernet0
ip address 192.168.1.6 255.255.255.0
ip access-group 100 in
....
access-list 100 permit tcp host 192.168.1.2 host
192.168.1.6 eq telnet
access-list 100 dynamic fredlist permit tcp host
192.168.1.2 any eq telnet
...
tacacs-server host 192.168.1.2
tacacs-server key cisco
......
line vty 0 4
login authentication TEST
autocommand access-enable
----------------------------
If there is no ip access-group 100 in under int e 0
, the authentication part is OK.
After I added it, when I tried to telnet 192.168.1.6,
even there is no prompt.
What's the problem?
--- Fabrice Bobes <study@6colabs.com> wrote:
> Peng,
>
> Yes, it's possible.
> Just post your config and I'll check what you are
> missing.
>
> Thanks,
>
> Fabrice
> http://www.6colabs.com
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Peng Zheng
> Sent: Tuesday, March 11, 2003 2:07 PM
> To: ccielab@groupstudy.com
> Subject: Lock-and-key with tacacs+ authentication
>
> Is it possible to use tacacs+ to authenticate
> lock-and-key? I tried but failed.
>
> Thanks for help.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Web Hosting - establish your business online
> http://webhosting.yahoo.com
>
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:37 GMT-3