Simple ACS question 1

[burtsbees]

I have ACS loaded on Win 200 Advanced Server (ACS=3.0), and I cannot telnet to routers that authenticate to it. I have a user setup with cisco and cisco in ACS, and the routers will authenticate at the console with this username and setup. The aaa commands are

aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local

line vty 0 4
login authen default
author exec default

Why can I use the cisco and cisco for console but not telnet? What am I missing?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[North323]

what does the AAA config look like? please include tacacs host commands

i dont think you need:
login authen default
author exec default

on line vty 0 4

 

[burtsbees]

Forgot

At first I did not have anything on the line vty 0 4...

tacacs-server key xxxxxxxx
tacacs-server host 10.5.5.2

It can be pinged all around and the key on the server is the same. Like I said, I have cisco and cisco set up in the server user setup ONLY, not in the router at all.

I just want to know what is needed for me to telnet using the tacacs+ server...

Thanks North Man.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Supergrrover]

Is this a pix or a router?

pix(config)#aaa authentication {telnet | ssh | http | serial} console {LOCAL | server_group [LOCAL]}


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[North323]

ive used acs and here is my config for the router:

config t
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting network default start-stop group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 10 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

tacacs-server host 172.x.x.x
tacacs-server attempts 5
tacacs-server key XXXXXXXX
end
wr mem

*************************************************************

additions to ACS

double click Cisco Secure ACA on desktop
Click on network configuration
Add Entry
Add the AAA Client Hostname
Add which ever switch or router with correct IP address
Add key n3tw0rk1ng
Click 'Submit + Restart'

i dont have anything in line vty 0 4

 

[burtsbees]

Brent---router

North---what username and password would you use? One that is setup in "User Setup" in ACS, right?

I get "Authorization failure" every time, but I am successful at the console...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

Also have

aaa author network default group tacacs+ local

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[North323]

create a local password like:

username admin password XXXXX
enable secret XXXXX

 

[burtsbees]

And that is what you use when you telnet? Not a user that you create in ACS?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[North323]

you need a local account so that you are prompted for credentials. for ACS, you can use either an internal ACs account or domain account. create either

 

[burtsbees]

Now you lost me.

username root priv 15 password pass
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local

tacacs-server host 1.1.1.1
tacacs-server key bambam

You're saying that when I telnet that I should enter root and pass?

I set up a user, cisco and cisco, and could not console in until I did that. I cannot telnet using those creds, though---says authorization failure. What am I missing?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[North323]

ok lets take a step back....
you need
1) a local password on cisco device for when tacacs+ is not reachable
2) need to have a good AAA config
3) need to set up the device in ACS
4) need to set up an ACS account (this is what you log into device with when tacacs+ is available

 

[burtsbees]

I have done all that. I am successful and things operate as expected for console access. But not telnet access. What all is needed for telnet? Do I have it all and it "should" work?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[North323]

post entire device config

 

[burtsbees]

CHICDIST#sh run

Building configuration...



Current configuration : 1412 bytes

!

! Last configuration change at 10:19:16 UTC Sun Sep 27 2009 by cisco

! NVRAM config last updated at 06:49:11 UTC Thu Sep 24 2009

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CHICDIST

!

boot-start-marker

boot-end-marker

!

!

memory-size iomem 25

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa session-id common

ip subnet-zero

!

!

!

ip cef

ip audit po max-events 100

!

!

username tim privilege 15 secret 5 $1$a96h$0I7R.hjF7/89SWyRKzjpP/

username b00 privilege 15 secret 5 $1$65wI$MaifR39/PfXncv4g1fFWb0

!

!

!

!

!

!

interface FastEthernet0

ip address 200.1.1.28 255.255.255.248 secondary

ip address 10.5.5.1 255.255.255.0

speed auto

!

interface Serial0

ip address 10.1.1.1 255.255.255.252

!

interface Serial1

ip address 10.11.11.1 255.255.255.252

!

router ospf 100

log-adjacency-changes

redistribute connected subnets

network 10.0.0.0 0.255.255.255 area 0.0.0.4

network 200.1.1.0 0.0.0.255 area 0.0.0.4

!

ip classless

no ip http server

no ip http secure-server

!

!

!

tacacs-server host 10.5.5.2

tacacs-server directed-request

tacacs-server key b00h00B1tch!

!

!

line con 0

line aux 0

line vty 0 4

!

end



CHICDIST#


/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[North323]

does it work when you try to log in with the local account? what does the logs say in ACS?

try in config t mode

no aaa new-model
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting network default start-stop group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 10 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

 

[burtsbees]

Nope. Still same thing. Where do I check in ACS> I am totally brand spankin new to ACS...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[North323]

on the left hand side menu should be like reporting or auditing. im not 100% sure, maybe like 3rd or 4th from bottom.

can you log in with the local account you created?

 

[burtsbees]

When I switch the aaa around to aaa authen login def local group tacacs+ I can login with my local creds. Let me re-setup aaa accounting and see what ACS sees....

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

I got it. I knew it was something simple. I had to set the group settings for exec privileges (15). Thanks for hanging with me.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!