From: Peng Zheng (zpnist@yahoo.com)
Date: Wed Mar 12 2003 - 21:46:23 GMT-3
It's OK now. a in autocmd must be low case. Thanks for
help.
Does anyone know how to change user on the router?
--- Fabrice Bobes <study@6colabs.com> wrote:
> Peng,
>
> I was assuming you were using Cisco Secure.
> You can do it also with NTTacPlus Server using the
> following parameters:
> Service:
> Exec=permit
> Attribute list:
> Autocmd=access-enable (not
> autocommand=access-enable)
>
> I have just tried it using DialWays 3.0 and it works
> fine.
>
> Thanks,
>
> Fabrice
>
> -----Original Message-----
> From: Peng Zheng [mailto:zpnist@yahoo.com]
> Sent: Wednesday, March 12, 2003 9:35 AM
> To: Fabrice Bobes; 'Brian Dennis';
> ccielab@groupstudy.com
> Subject: RE: Lock-and-key with tacacs+
> authentication
>
> I can not find how to.
>
> I tried this way on NTTacPlus server.
>
> For the user test, under service tab:
>
> Under Configured Services:
>
> Exec=permit
> Then under Attribute Value Pair/Per Service
> Autocommand=access-enable
>
> When I tried to login, it said authentication OK but
> authorization failed.
>
> Below is log file:
> ------------------------------------
> #12-03-2003 09:28:37#>Login query for 'test' tty5
> from
> 192.168.1.6 accepted
> #12-03-2003 09:28:38#debug>Start authorization
> request
> #12-03-2003 09:28:38#debug>user 'test' found
> #12-03-2003 09:28:38#debug>nas: service=shell
> (unchanged)
> #12-03-2003 09:28:38#debug>nas: cmd* (unchanged)
> #12-03-2003 09:28:38#debug>nas: <none>, server:
> autocommand=access-enable -> add
> autocommand=access-enable (k)
> #12-03-2003 09:28:38#debug>nas: <none>, server:
> priv-lvl=15 -> add priv-lvl=15 (l)
> #12-03-2003 09:28:38#debug>added 2 args
> #12-03-2003 09:28:38#debug>out args[0] =
> service=shell
> input copy discarded
> #12-03-2003 09:28:38#debug>out args[1] = cmd* input
> copy discarded
> #12-03-2003 09:28:38#debug>out args[2] =
> autocommand=access-enable compacted to out args[0]
> #12-03-2003 09:28:38#debug>out args[3] = priv-lvl=15
> compacted to out args[1]
> #12-03-2003 09:28:38#debug>2 output args
> #12-03-2003 09:28:38#>authorization query for 'test'
> tty5 from 192.168.1.6 accepted
>
> ---------------------
>
>
>
> --- Fabrice Bobes <study@6colabs.com> wrote:
> > OK, I stand corrected and I'll try to give a
> better
> > explanation :-)
> >
> > 1) Lock-and-key with tacacs+ authentication
> > Like Brian said, your access-list is not complete.
> > It should be something like:
> > access-list 100 permit tcp host 192.168.1.2 host
> > 192.168.1.6 eq telnet
> > access-list 100 permit tcp host 192.168.1.2 eq 49
> > host
> > 192.168.1.6
> > access-list 100 dynamic fredlist permit tcp host
> > 192.168.1.2 any eq telnet
> >
> > 2) Lock-and-key with tacacs+ authentication and
> > authorization
> > Since you are using TACACS, you can remove
> > Line vty 0 4
> > autocommand access-enable
> >
> > and put this information on the TACACS server
> > autocommand = access-enable
> > under the section Shell (exec)).
> >
> > In this situation, you use TACACS to let your user
> > start an exec shell
> > command.
> > You need to enable shell (exec) for your Tacacs
> user
> > and add:
> > authorization exec default group tacacs+
> > or
> > aaa authorization exec TEST group tacacs+
> > line vty 0 4
> > authorization exec TEST
> >
> > 3) And yes, you should specify a backup
> > authentication method if Tacacs
> > fails
> >
> > Thanks,
> >
> > Fabrice
> > http://www.6colabs.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > Brian Dennis
> > Sent: Tuesday, March 11, 2003 5:23 PM
> > To: 'Peng Zheng'; ccielab@groupstudy.com
> > Subject: RE: Lock-and-key with tacacs+
> > authentication
> >
> > You are not allowing TACACS+ through your ACL. The
> > AAA server can't
> > reply to the authentication request sent by the
> > router. Add an entry to
> > the ACL that allows the AAA server to reply.
> >
> > Also as a side note your router is not setup for a
> > secondary
> > authentication method. As a general rule you
> should
> > at least have a
> > secondary authentication method (i.e. local) in
> case
> > the primary is
> > unavailable.
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security)
> > CCSI# 98640
> > brian@labforge.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > Peng Zheng
> > Sent: Tuesday, March 11, 2003 4:34 PM
> > To: Fabrice Bobes; ccielab@groupstudy.com
> > Subject: RE: Lock-and-key with tacacs+
> > authentication
> >
> > Here is my config:
> >
> > ------------------
> >
> > aaa new-model
> > aaa authentication login default group tacacs+
> > aaa authentication login TEST group tacacs+
> > aaa authentication enable default group tacacs+
> >
> > ...
> >
> > interface Loopback0
> > ip address 131.108.3.1 255.255.255.0
> > !
> > interface Ethernet0
> > ip address 192.168.1.6 255.255.255.0
> > ip access-group 100 in
> >
> > ....
> >
> > access-list 100 permit tcp host 192.168.1.2 host
> > 192.168.1.6 eq telnet
> > access-list 100 dynamic fredlist permit tcp host
> > 192.168.1.2 any eq telnet
> >
> > ...
> >
> > tacacs-server host 192.168.1.2
> > tacacs-server key cisco
> >
> > ......
> >
> > line vty 0 4
> > login authentication TEST
> > autocommand access-enable
> >
> > ----------------------------
> >
> >
> > If there is no ip access-group 100 in under int e
> 0
>
=== message truncated ===
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:38 GMT-3