AAA Config question

2000-12-22 Thread Robert Yee 

Hi all, 
I'm in the process of testing out a AAA config on a router, and if
successful I will be rolling this out to my network. 
The config seems to work very well with CiscoSecure ACS for NT 2.4. However,
ther are some quircks that I'm just not sure about. 
The following is the config that I'm using: 
hostname Router1
!
aaa new-model
aaa authentication login list1 local group tacacs+
aaa authentication ppp list1 local group tacacs+
aaa authorization exec list1 local group tacacs+ 
aaa authorization network list1 local group tacacs+ 
aaa accounting exec list1 start-stop group tacacs+
aaa accounting network list1 start-stop group tacacs+
enable password cisco
!
username user1 password 0 cisco
!
tacacs-server host 172.16.1.211
tacacs-server key 12345
!
line con 0
password cisco
transport input none
line aux 0
line vty 0 4
password cisco
login authentication list1 
Questions: 
1. When I try and setup the method list (list1) for authentication with
tacacs+ first then local, it does not allow local authentication, it wll
only look to the tacacs+ server for validation. However, if I list local
first, then tacacs+, it'll work as desired. Why is this so? Shouldn't it
work the other way around also? 
2. I've shosen to implement the authentication on vty sessions only by using
the 'login authentication list1' command that I read on CCO. The ACS sotwre
suggested that I use the combination 'aaa authen login no_tacacs enable/line
con 0/ login authen no_tacas' command. However, when I tried this, it
totally bombed. What did I do wrong? 
Thanks! 
Robert 

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: AAA Config question

2000-12-22 Thread ItsMe 

First #1 If tacas+ is first it will go to the server for authentication. If
the server goes down it will use local. That's probably what you want. The
local allows you to login to fix a router problem if the server is down.

And #2 It looks like you are telling it to use tacacs+ for authentication,
and then using a list no_tacacs to get to line (character) mode, did you set
up a no_tacacs list?

"Robert Yee" [EMAIL PROTECTED] wrote in message
08C6D6CAB775D411AAF2001083FC7DD50198AD@PFCMAIL">news:08C6D6CAB775D411AAF2001083FC7DD50198AD@PFCMAIL...
 Hi all,
 I'm in the process of testing out a AAA config on a router, and if
 successful I will be rolling this out to my network.
 The config seems to work very well with CiscoSecure ACS for NT 2.4.
However,
 ther are some quircks that I'm just not sure about.
 The following is the config that I'm using:
 hostname Router1
 !
 aaa new-model
 aaa authentication login list1 local group tacacs+
 aaa authentication ppp list1 local group tacacs+
 aaa authorization exec list1 local group tacacs+
 aaa authorization network list1 local group tacacs+
 aaa accounting exec list1 start-stop group tacacs+
 aaa accounting network list1 start-stop group tacacs+
 enable password cisco
 !
 username user1 password 0 cisco
 !
 tacacs-server host 172.16.1.211
 tacacs-server key 12345
 !
 line con 0
 password cisco
 transport input none
 line aux 0
 line vty 0 4
 password cisco
 login authentication list1
 Questions:
 1. When I try and setup the method list (list1) for authentication with
 tacacs+ first then local, it does not allow local authentication, it wll
 only look to the tacacs+ server for validation. However, if I list local
 first, then tacacs+, it'll work as desired. Why is this so? Shouldn't it
 work the other way around also?
 2. I've shosen to implement the authentication on vty sessions only by
using
 the 'login authentication list1' command that I read on CCO. The ACS
sotwre
 suggested that I use the combination 'aaa authen login no_tacacs
enable/line
 con 0/ login authen no_tacas' command. However, when I tried this, it
 totally bombed. What did I do wrong?
 Thanks!
 Robert

 _
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]