Re: Basic TACACS authentication.

From: m destienne (mdestienne@yahoo.com)
Date: Wed Jan 10 2007 - 18:01:42 ART

• Next message: Rocco R21: "RE: BGP Peer Using a Link-Local Address"
• Previous message: ruth wainwright: "Errant 3750G"
• Maybe in reply to: V Shekhar: "Basic TACACS authentication."
• Next in thread: Prashanth Kumar: "Re: Basic TACACS authentication."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

you'll see this message if aaa is not reachable and a
backup method isn't used. your config doesn't list a
backup method.

verify connectivity from the router to the aaa first.

--- Kal Han <calikali2006@gmail.com> wrote:

> Hi Sekhar
> That usually means your tacacs server IP is not
> correctly
> configured. The error messages you see are because
> of that.
> Check in your config
> tacacs-server host x.x.x.x key CISCO
> *if x.x.x.x is the right IP* , check the key also -
> just in case.
> Rest looks good.
>
> Thanks
> Kal
>
>
> On 1/9/07, V Shekhar <vshekhar25@yahoo.com> wrote:
> >
> > This might be a very basic issue but i am stuck
> here, any inputs welcome.
> >
>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > aaa new-model
> > !
> > !
> > aaa authentication login VTY_AUTH group tacacs+
> > aaa accounting exec default start-stop group
> tacacs+
> > aaa session-id common
> >
> > tacacs-server host x.x.x.x key CISCO
> > tacacs-server directed-request
> >
> > line vty 0 4
> > login authentication VTY_AUTH
> > transport input telnet ssh
> > transport output none
> >
>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> > Now when i telnet to this router i do not get
> prompted for a username and
> > passowrd atall.
> > Instead i get this.
> >
> > R6#telnet 150.1.5.5
> > Trying 150.1.5.5 ... Open
> >
> > % Authentication failed.
> >
> > % Authentication failed.
> >
> > % Authentication failed.
> >
> > [Connection to 150.1.5.5 closed by foreign host]
> >
> > On the other hand the ACS (tacacs server) i cannot
> see anything in passed
> > or failed auth attempts.
> > (Yes i have enabled passed auth logging on ACS)
> > The ony time i see a log on ACS is when i have not
> configured the router
> > as authorized NAS in ACS.
> > I can see TCP port 49 packes via a sniffer
> reaching to the ACS a ACS
> > responding back.
> >
> > I have a ASA in between the router and the ACS,
> the ACLs on the router
> > show hits against the ACL which allows TACACS.
> >
> >
> >
> > Thanx,
> > -sHekHar.
> > CCSP/CISSP/RHCE.
> >
> >
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
>
>

• Next message: Rocco R21: "RE: BGP Peer Using a Link-Local Address"
• Previous message: ruth wainwright: "Errant 3750G"
• Maybe in reply to: V Shekhar: "Basic TACACS authentication."
• Next in thread: Prashanth Kumar: "Re: Basic TACACS authentication."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:56 ART