From: Brian Dennis (brian@labforge.com)
Date: Wed Mar 12 2003 - 02:54:14 GMT-3
Also if this is "real world" and you have access to a TACACS+ server you
should look into using authentication proxy as opposed to lock-and-key.
Here is a comparison of both (watch the wrap):
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/
secur_c/scprt3/scdauthp.htm#1001152
Currently authentication proxy supports only HTTP to trigger the
authentication but telnet and FTP support are slated for future IOS
releases.
Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) CCSI# 98640
brian@labforge.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian Dennis
Sent: Tuesday, March 11, 2003 5:24 PM
To: 'Peng Zheng'; ccielab@groupstudy.com
Subject: RE: Lock-and-key with tacacs+ authentication
You are not allowing TACACS+ through your ACL. The AAA server can't
reply to the authentication request sent by the router. Add an entry to
the ACL that allows the AAA server to reply.
Also as a side note your router is not setup for a secondary
authentication method. As a general rule you should at least have a
secondary authentication method (i.e. local) in case the primary is
unavailable.
Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) CCSI# 98640
brian@labforge.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Peng Zheng
Sent: Tuesday, March 11, 2003 4:34 PM
To: Fabrice Bobes; ccielab@groupstudy.com
Subject: RE: Lock-and-key with tacacs+ authentication
Here is my config:
------------------
aaa new-model
aaa authentication login default group tacacs+
aaa authentication login TEST group tacacs+
aaa authentication enable default group tacacs+
...
interface Loopback0
ip address 131.108.3.1 255.255.255.0
!
interface Ethernet0
ip address 192.168.1.6 255.255.255.0
ip access-group 100 in
....
access-list 100 permit tcp host 192.168.1.2 host
192.168.1.6 eq telnet
access-list 100 dynamic fredlist permit tcp host
192.168.1.2 any eq telnet
...
tacacs-server host 192.168.1.2
tacacs-server key cisco
......
line vty 0 4
login authentication TEST
autocommand access-enable
----------------------------
If there is no ip access-group 100 in under int e 0
, the authentication part is OK.
After I added it, when I tried to telnet 192.168.1.6,
even there is no prompt.
What's the problem?
--- Fabrice Bobes <study@6colabs.com> wrote:
> Peng,
>
> Yes, it's possible.
> Just post your config and I'll check what you are
> missing.
>
> Thanks,
>
> Fabrice
> http://www.6colabs.com
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Peng Zheng
> Sent: Tuesday, March 11, 2003 2:07 PM
> To: ccielab@groupstudy.com
> Subject: Lock-and-key with tacacs+ authentication
>
> Is it possible to use tacacs+ to authenticate
> lock-and-key? I tried but failed.
>
> Thanks for help.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Web Hosting - establish your business online
> http://webhosting.yahoo.com
>
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:37 GMT-3