First #1 If tacas+ is first it will go to the server for authentication. If
the server goes down it will use local. That's probably what you want. The
local allows you to login to fix a router problem if the server is down.
And #2 It looks like you are telling it to use tacacs+ for authentication,
and then using a list no_tacacs to get to line (character) mode, did you set
up a no_tacacs list?
"Robert Yee" <[EMAIL PROTECTED]> wrote in message
08C6D6CAB775D411AAF2001083FC7DD50198AD@PFCMAIL">news:08C6D6CAB775D411AAF2001083FC7DD50198AD@PFCMAIL...
> Hi all,
> I'm in the process of testing out a AAA config on a router, and if
> successful I will be rolling this out to my network.
> The config seems to work very well with CiscoSecure ACS for NT 2.4.
However,
> ther are some quircks that I'm just not sure about.
> The following is the config that I'm using:
> hostname Router1
> !
> aaa new-model
> aaa authentication login list1 local group tacacs+
> aaa authentication ppp list1 local group tacacs+
> aaa authorization exec list1 local group tacacs+
> aaa authorization network list1 local group tacacs+
> aaa accounting exec list1 start-stop group tacacs+
> aaa accounting network list1 start-stop group tacacs+
> enable password cisco
> !
> username user1 password 0 cisco
> !
> tacacs-server host 172.16.1.211
> tacacs-server key 12345
> !
> line con 0
> password cisco
> transport input none
> line aux 0
> line vty 0 4
> password cisco
> login authentication list1
> Questions:
> 1. When I try and setup the method list (list1) for authentication with
> tacacs+ first then local, it does not allow local authentication, it wll
> only look to the tacacs+ server for validation. However, if I list local
> first, then tacacs+, it'll work as desired. Why is this so? Shouldn't it
> work the other way around also?
> 2. I've shosen to implement the authentication on vty sessions only by
using
> the 'login authentication list1' command that I read on CCO. The ACS
sotwre
> suggested that I use the combination 'aaa authen login no_tacacs
enable/line
> con 0/ login authen no_tacas' command. However, when I tried this, it
> totally bombed. What did I do wrong?
> Thanks!
> Robert
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
