I'm also assuming you have the actual TACACS+ server configured with the
key?
tacacs-server host
tacacs-server timeout 15
tacacs-server key
Also try changing the line to:
aaa authentication login default group tacacs+ local
To specify going to all TACACS+ servers before the local account db.
If your TACACS+ authenticates the router by IP of the router and key
making sure the correct combination in the server.
Otherwise see if you can provide outputs for "show tacacs" and a
"debug aaa authentication" while a user is trying to log in.
Thanks
John
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Amer
Sent: Tuesday, December 17, 2002 2:30 PM
To: [EMAIL PROTECTED]
Subject: ACS Authentication/Auth/Accounting [7:59393]
Okay I've got my login authentication, authorization and accounting
working
on most of my switches and router through a ACS (TACACS+). But I have
this
one router that gives me an "% Error in authentication" message as soon
as I
put in my username. It doesn't even allow me to put in a password. The
only way I can get into it is through the local account that I have
created
on it. I've checked a similar router (same IOS, exact same
configuration),
and it works okay.... so what can I look for to troubleshoot this
problem??
Thanks in advance.
Here is the config on the router:
aaa new-model
aaa authentication login default local tacacs+
aaa authentication enable default enable tacacs+
aaa authorization exec default tacacs+ local
aaa authorization network default none
aaa accounting update newinfo
aaa accounting exec default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+
aaa accounting network default start-stop tacacs+
P.S. Does anyone know of a way to filter out the commands that can be
accounted for at the ACS? At the moment, the accounting is working a
great
but it accounts for every command that's put it. I have an access list
on
one of my router that is about 150 lines long and gets modified
constantly
and every command is accounted for in the ACS Accounting. I'm trying to
see
if there's a way to filter out that particular access-list and not
account
for it everytime. Thanks again.
Amer
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59424&t=59393
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
