Hannes, In your config you have the line:
aaa authentication login default tacacs+ enable What this means is "for users logging into this device (or devices supported via this device - ie. your terminals) use the following methods (default): tacacs+ if it is configured correctly, the router can contact the tacacs+ server, and the keys match, and then the local routers enable password if this fails." The "default" method works a bit like a gateway of last resort. If the router can find no other way to authenticate users it will choose this method and apply it to authenticate. You need to create a new method and apply it to the tty lines to authenticate users connecting in this manner. (NB: This config is in addittion to what you already have.) try: aaa authentication login terminal_authentication local line 1 8 login authentication terminal_authentication here you've created a new method called "terminal_authentication" which requires the router to use the local username database to authenticate users. You've then applied this to lines 1-8 on the router (which are your terminal lines). If you want to be able to authenticate with the default password after this you could add it onto the end after the word local, ie. aaa authentication login terminal_authentication local enable You can keep adding more and more authentication methods onto the end of the line and if it cannot create a valid connection to the data source in question, be it local or remote, it will go through them 'til it finds one that it can. However you should be safe with only local authentication as you can drop into terminal server and sort the config out if anything goes wrong. As an aside, if you have any terminal lines that other users require that do not need authenticating create the following: aaa authentication login no_authentication none line [whatever the line no. is] login authentication no_authentication This can be useful as over the years people have a habit of connecting devices to aux ports on routers and using port 2001 to connect to them. Since aaa authentication with a default method enforces authentication on anyone passing through it these people get caught and a no authentication method needs to be setup. Cheers, Si "Kumari, Hannes" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi All, > > Im tring to configure 2509 (with 8 async ports) as a terminal server > so that > I could access my network devices via console port. > I have my default tacacs policy in place but in addition to that I > would like to > have sepparate policy for third parties ( IT depatment needs console acces > to servers aswell ). > And now the problem, when tring to reverse-telnet like this : > > telnet 10.10.10.10 2001 > > It first checks the tacas for authentication, but I have no intention to > auth. 3`rd parties thougt tacacs but > have created local usernames/password in 2509 > How should the config look like in order it to check local > usernames/password first befor tacacs auth. > > ------- > my current conf in 2509 > > aaa now-model > aaa authentication login default tacacs+ enable > aaa authentication enable default tacacs+ enable > aaa authorization exec default tacacs+ if-authenticated > ... > username kala password 0 kala > > rgds, > > Hannes Kumari Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34662&t=34607 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
