Yes, that was a copy-paste typo. From: Aaron <[email protected]> Date: Thursday, December 3, 2020 at 2:18 PM To: Eric Van Tol <[email protected]> Cc: Scott Miller <[email protected]>, "[email protected]" <[email protected]> Subject: Re: [c-nsp] AAA on IOS-XR (NCS540)
EXTERNAL - Do not click links or open attachments from an unverified source/sender. This isn't at typo is it? aaa authentication login default group TACACS line! should it be aaa authentication login default group TACACS line <<< no ! On Thu, Dec 3, 2020 at 2:13 PM Eric Van Tol <[email protected]<mailto:[email protected]>> wrote: No, all I have is: control-plane management-plane inband interface TenGigE0/0/0/27 allow all ! interface TenGigE0/0/0/23.1550 allow all ! interface TenGigE0/0/0/25.1550 allow all ! ! What exactly does this do? I mean, I have an inkling, but I wouldn’t expect TACACS to work at all if I was missing a config to allow it to respond to the router. From: Scott Miller <[email protected]<mailto:[email protected]>> Date: Thursday, December 3, 2020 at 1:52 PM To: Eric Van Tol <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [c-nsp] AAA on IOS-XR (NCS540) EXTERNAL - Do not click links or open attachments from an unverified source/sender. Do you have the control-plane set up? tacacs source-interface Loopback100 vrf default tacacs-server host 11.11.11.11 port 49 key 7 xxxxxxxxxxxxxxxxxxxxxxxx ! tacacs-server host 22.22.22.22 port 49 key 7 xxxxxxxxxxxxxxxxxxxxxxxx ! aaa accounting exec default start-stop group acs-tacacs aaa accounting system default start-stop group acs-tacacs aaa accounting commands default start-stop group acs-tacacs aaa group server tacacs+ acs-tacacs server 11.11.11.11 server 22.22.22.22 ! aaa authorization exec default group acs-tacacs local aaa authorization commands default group acs-tacacs none aaa authentication login default group acs-tacacs local line console exec-timeout 10 0 ! line default password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx exec-timeout 30 0 session-timeout 30 transport input ssh ! vty-pool default 0 20 control-plane management-plane inband interface all allow all peer address ipv4 11.12.12.12 address ipv4 11.13.13.13 address ipv4 11.14.14.14 On Thu, Dec 3, 2020 at 11:33 AM Eric Van Tol <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: Hi all, I’m going nuts here trying to get my AAA set up on an NCS. The goal is to authenticate against TACACS on VTY lines but either use the local user database or line/enable for console access and I cannot get it right. Sometimes my VTY authentication fails the first time and it requires you to put in your password a second time, even though the TACACS servers are definitely available. I cannot get console access to work properly at all. I’m running XR 7.1.1. Here’s the aaa portion of the config: tacacs source-interface Loopback1 vrf default tacacs-server host 192.168.45.126 port 49 key 7 ****** single-connection ! tacacs-server host 192.168.46.126 port 49 key 7 ****** timeout 3 single-connection ! username admin group root-lr group cisco-support secret 10 $secretpass ! aaa group server tacacs+ TACACS server 192.168.45.126 server 192.168.46.126 ! aaa authorization exec CONSOLE local aaa authorization exec default group TACACS local aaa authentication login CONSOLE local line aaa authentication login default group TACACS line! ! line console password 7 ****** authorization exec CONSOLE login authentication CONSOLE ! line default password 7 ****** timeout login response 30 authorization exec default login authentication default exec-timeout 0 0 access-class ingress access-protect session-timeout 120 transport input ssh ! I’ve tried different permutations of the line console config and can’t get the right combination. Can someone point me in the right direction here? Thanks in advance, evt _______________________________________________ cisco-nsp mailing list [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected]<mailto:[email protected]> https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
