Switches, Hubs, and Modems
1748249 Members
3295 Online
108760 Solutions
New Discussion юеВ

Re: Username

 
mascarenhas2010
Advisor

Username

Hello friends,

I m doing authentication by tacacs+ through cisco ACS server.

my commands are:

tacacs-server host 10.75.7.135 key cisco
aaa authentication telnet login tacacs+ local

After entering username and password it comes to this prompt
Switch>
when i do en it again ask for username and password??

which username and password i have to input here i have not set any other user only 1 user with manager access,when i enter the same username and password it doesn't accepts it says Unable to verify password.

2) How i can remove the below command from the configuation:

aaa authentication telnet login tacacs local
aaa authentication telnet enable tacacs local

4 REPLIES 4
Michael_Breuer
Esteemed Contributor

Re: Username

Hello,

basically login and enable access are independant authentication processes. But you can configure the switch to honor the privileg mode avoiding a manager authenticate twice:

# aaa authenticatio login privilege-mode

2)
To remove a tacacs authentication you have to set it do default:

aaa authentication telnet login local none
aaa authentication telnet enable local none

Cheers,

Michael
Ingentive Networks GmbH
Jeff Carrell
Honored Contributor

Re: Username

'aaa authentication login privilege-mode '

Fyi, this feature/function only works with radius authenticated logins as you must also configure a radius attribute in the radius policy (server) to support its use. The switch expects a specific value to be sent back in the access-accept reply (in the "service-type" field) pkt.

BTW, be sure to configure the radius server for this use first, then add the above command in the switch, otherwise, if you put the command and then the switch does not receive one of the 2 value's it requires, you will lock yourself out of the access method where radius is being used to support authentication.

Because of the switch's requirement of receiving a specific value in the reply pkt, this feature is not available for tacacs auth.

hth...Jeff
mascarenhas2010
Advisor

Re: Username

Hello,

I want to do single login by ACS server and local when ACS fails what commands i have to apply please guide.

i m using tacacs

aaa authentication login privilege command doesn't work.

please help
Jeff Carrell
Honored Contributor

Re: Username

mascarenhas2010 said: "I want to do single login by ACS server and local when ACS fails what commands i have to apply please guide.

i m using tacacs "

Using tacacs, you do not get that option on ProVision software.

If you use the ACS and use its radius auth services (I've been told ACS can do radius), then you can use the above command and explicit config in the radius server (see the docs).

hth...Jeff