RE: Lock-and-key with tacacs+ authentication

From: Peng Zheng (zpnist@yahoo.com)
Date: Wed Mar 12 2003 - 02:52:31 GMT-3

• Next message: tria_ka@gmx.net: "RE: isdn - backup - challenge - authentication ???"
• Previous message: CCIE FUN: "RE: BGP problem, BGP's relation with IGPs"
• Maybe in reply to: Peng Zheng: "Lock-and-key with tacacs+ authentication"
• Next in thread: Cristian Henry H: "Re: Lock-and-key with tacacs+ authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Something is wrong. I didn't receive Brain's Email.

Now I understand.
Thanks.

another question: I'm using NTTacPlus as tacacs+
server, I can not find where I can configure
autocommand = access-enable.

Does anyone know how to do this?

--- Fabrice Bobes <study@6colabs.com> wrote:
> OK, I stand corrected and I'll try to give a better
> explanation :-)
>
> 1) Lock-and-key with tacacs+ authentication
> Like Brian said, your access-list is not complete.
> It should be something like:
> access-list 100 permit tcp host 192.168.1.2 host
> 192.168.1.6 eq telnet
> access-list 100 permit tcp host 192.168.1.2 eq 49
> host
> 192.168.1.6
> access-list 100 dynamic fredlist permit tcp host
> 192.168.1.2 any eq telnet
>
> 2) Lock-and-key with tacacs+ authentication and
> authorization
> Since you are using TACACS, you can remove
> Line vty 0 4
> autocommand access-enable
>
> and put this information on the TACACS server
> autocommand = access-enable
> under the section Shell (exec)).
>
> In this situation, you use TACACS to let your user
> start an exec shell
> command.
> You need to enable shell (exec) for your Tacacs user
> and add:
> authorization exec default group tacacs+
> or
> aaa authorization exec TEST group tacacs+
> line vty 0 4
> authorization exec TEST
>
> 3) And yes, you should specify a backup
> authentication method if Tacacs
> fails
>
> Thanks,
>
> Fabrice
> http://www.6colabs.com
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Brian Dennis
> Sent: Tuesday, March 11, 2003 5:23 PM
> To: 'Peng Zheng'; ccielab@groupstudy.com
> Subject: RE: Lock-and-key with tacacs+
> authentication
>
> You are not allowing TACACS+ through your ACL. The
> AAA server can't
> reply to the authentication request sent by the
> router. Add an entry to
> the ACL that allows the AAA server to reply.
>
> Also as a side note your router is not setup for a
> secondary
> authentication method. As a general rule you should
> at least have a
> secondary authentication method (i.e. local) in case
> the primary is
> unavailable.
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security)
> CCSI# 98640
> brian@labforge.com
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Peng Zheng
> Sent: Tuesday, March 11, 2003 4:34 PM
> To: Fabrice Bobes; ccielab@groupstudy.com
> Subject: RE: Lock-and-key with tacacs+
> authentication
>
> Here is my config:
>
> ------------------
>
> aaa new-model
> aaa authentication login default group tacacs+
> aaa authentication login TEST group tacacs+
> aaa authentication enable default group tacacs+
>
> ...
>
> interface Loopback0
> ip address 131.108.3.1 255.255.255.0
> !
> interface Ethernet0
> ip address 192.168.1.6 255.255.255.0
> ip access-group 100 in
>
> ....
>
> access-list 100 permit tcp host 192.168.1.2 host
> 192.168.1.6 eq telnet
> access-list 100 dynamic fredlist permit tcp host
> 192.168.1.2 any eq telnet
>
> ...
>
> tacacs-server host 192.168.1.2
> tacacs-server key cisco
>
> ......
>
> line vty 0 4
> login authentication TEST
> autocommand access-enable
>
> ----------------------------
>
>
> If there is no ip access-group 100 in under int e 0
> , the authentication part is OK.
>
> After I added it, when I tried to telnet
> 192.168.1.6,
> even there is no prompt.
>
>
> What's the problem?
>
>
>
>
> --- Fabrice Bobes <study@6colabs.com> wrote:
> > Peng,
> >
> > Yes, it's possible.
> > Just post your config and I'll check what you are
> > missing.
> >
> > Thanks,
> >
> > Fabrice
> > http://www.6colabs.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > Peng Zheng
> > Sent: Tuesday, March 11, 2003 2:07 PM
> > To: ccielab@groupstudy.com
> > Subject: Lock-and-key with tacacs+ authentication
> >
> > Is it possible to use tacacs+ to authenticate
> > lock-and-key? I tried but failed.
> >
> > Thanks for help.
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Web Hosting - establish your business
> online
> > http://webhosting.yahoo.com
> >
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Web Hosting - establish your business online
> http://webhosting.yahoo.com
>

• Next message: tria_ka@gmx.net: "RE: isdn - backup - challenge - authentication ???"
• Previous message: CCIE FUN: "RE: BGP problem, BGP's relation with IGPs"
• Maybe in reply to: Peng Zheng: "Lock-and-key with tacacs+ authentication"
• Next in thread: Cristian Henry H: "Re: Lock-and-key with tacacs+ authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:37 GMT-3