RE: AAA misbehavior

From: Tony Schaffran \(GS\) <groupstudy_at_cconlinelabs.com>
Date: Tue, 02 Feb 2010 06:20:32 -0800

There should be something in the failed attempt logs on the ACS.

If not, then port 49 is not getting from your device to the ACS.

Tony Schaffran
Sr. Network Consultant
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
 
CCOnlineLabs
Your #1 choice for online Cisco rack rentals.
 

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of CCIE
Sent: Tuesday, February 02, 2010 4:01 AM
To: 'Joseph L. Brunner'; 'groupstudy'
Subject: RE: AAA misbehavior

Meaningful explanation, but the ACS is reachable and I can ping it from the
router, would other causes could make the ACS don't to respond.

-----Original Message-----
From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
Sent: Monday, February 01, 2010 10:04 AM
To: CCIE; 'groupstudy'
Subject: RE: AAA misbehavior

No that's not Misbehavior.

You must have an unreachable tacacs+ server, second method is local (and you
have no local usernames) and then the only option left is NONE
So your fallback method is none

Why not?

aaa authentication login ACS group tacacs+ local line

and then

username root privilege 15 secret C1sco#$@

line vty 0 4
password s0m3good1

Now, AAA will have a local username and line password to fall back to if the
AAA server fails

:)

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of CCIE
Sent: Monday, February 01, 2010 2:55 AM
To: 'groupstudy'
Subject: AAA misbehavior

Hi experts,

 

Strange AAA behaviors, I have the bellow configuration, and the AAA ACS is
running, whenever I tried to access this router it ask for username if I
enter anything (not valid username on the AAA) then enter it immediately
take me to the privilege access, please any advice because that's make me
crazy

 

aaa new-model

aaa authentication login ACS group tacacs+ local none

 

tacacs-server host 10.0.71.18 key Cisco

 

line vty 0 15

login authentication ACS

privilege level 15.

 

Regards,

Amin

Blogs and organic groups at http://www.ccie.net
Received on Tue Feb 02 2010 - 06:20:32 ART

This archive was generated by hypermail 2.2.0 : Mon Mar 01 2010 - 06:28:35 ART