This isn't at typo is it? aaa authentication login default group TACACS line!
should it be aaa authentication login default group TACACS line <<< no ! On Thu, Dec 3, 2020 at 2:13 PM Eric Van Tol <[email protected]> wrote: > No, all I have is: > > control-plane > management-plane > inband > interface TenGigE0/0/0/27 > allow all > ! > interface TenGigE0/0/0/23.1550 > allow all > ! > interface TenGigE0/0/0/25.1550 > allow all > ! > ! > > What exactly does this do? I mean, I have an inkling, but I wouldn’t > expect TACACS to work at all if I was missing a config to allow it to > respond to the router. > > From: Scott Miller <[email protected]> > Date: Thursday, December 3, 2020 at 1:52 PM > To: Eric Van Tol <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: [c-nsp] AAA on IOS-XR (NCS540) > > > EXTERNAL - Do not click links or open attachments from an unverified > source/sender. > Do you have the control-plane set up? > > tacacs source-interface Loopback100 vrf default > tacacs-server host 11.11.11.11 port 49 > key 7 xxxxxxxxxxxxxxxxxxxxxxxx > ! > tacacs-server host 22.22.22.22 port 49 > key 7 xxxxxxxxxxxxxxxxxxxxxxxx > ! > > aaa accounting exec default start-stop group acs-tacacs > aaa accounting system default start-stop group acs-tacacs > aaa accounting commands default start-stop group acs-tacacs > aaa group server tacacs+ acs-tacacs > server 11.11.11.11 > server 22.22.22.22 > ! > aaa authorization exec default group acs-tacacs local > aaa authorization commands default group acs-tacacs none > aaa authentication login default group acs-tacacs local > > line console > exec-timeout 10 0 > ! > line default > password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx > exec-timeout 30 0 > session-timeout 30 > transport input ssh > ! > vty-pool default 0 20 > > control-plane > management-plane > inband > interface all > allow all peer > address ipv4 11.12.12.12 > address ipv4 11.13.13.13 > address ipv4 11.14.14.14 > > > > On Thu, Dec 3, 2020 at 11:33 AM Eric Van Tol <[email protected]<mailto: > [email protected]>> wrote: > Hi all, > I’m going nuts here trying to get my AAA set up on an NCS. The goal is to > authenticate against TACACS on VTY lines but either use the local user > database or line/enable for console access and I cannot get it right. > Sometimes my VTY authentication fails the first time and it requires you to > put in your password a second time, even though the TACACS servers are > definitely available. I cannot get console access to work properly at all. > I’m running XR 7.1.1. Here’s the aaa portion of the config: > > tacacs source-interface Loopback1 vrf default > tacacs-server host 192.168.45.126 port 49 > key 7 ****** > single-connection > ! > tacacs-server host 192.168.46.126 port 49 > key 7 ****** > timeout 3 > single-connection > ! > username admin > group root-lr > group cisco-support > secret 10 $secretpass > ! > aaa group server tacacs+ TACACS > server 192.168.45.126 > server 192.168.46.126 > ! > aaa authorization exec CONSOLE local > aaa authorization exec default group TACACS local > aaa authentication login CONSOLE local line > aaa authentication login default group TACACS line! > ! > line console > password 7 ****** > authorization exec CONSOLE > login authentication CONSOLE > ! > line default > password 7 ****** > timeout login response 30 > authorization exec default > login authentication default > exec-timeout 0 0 > access-class ingress access-protect > session-timeout 120 > transport input ssh > ! > > I’ve tried different permutations of the line console config and can’t get > the right combination. Can someone point me in the right direction here? > > Thanks in advance, > evt > > _______________________________________________ > cisco-nsp mailing list [email protected]<mailto: > [email protected]> > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
