AAA for Cisco MDS Switches

I have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.
Could anyone help me in this regard.

You have two options.
1. Configure an "admin" user in AD. (note that you don't have to use the account named admin, you can just as easily assign a local user with the network-admin role).One thing to note, is that you normally use this local account in case the tacacs+ or radius authentication server goes down.
You can have users configured locally and AD at the same time. If you are running AAA the default config is to check your AAA servers first, if they are not available, then to default to a local account
2. Configure your local network-admin role user and then specify that say console access is authenticated locally, while ssh and telnet is authenticated through tacacs. This will allow you to always get in with a local account through the console, while it will force SSH and Telnet connections to authenticate through the AAA servers.
You can find this option in Device Manager > Security > AAA > Applications
If you found this helpful, please give it a rating.

Similar Messages

  • AAA and Cisco MDS switches.........

    have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.
    Could anyone help me in this regard.

    local. Below is the script I used to configure TACACS (Cisco ACS 4.0) on Cisco MDS switches.
    config t
    # Enable TACACS+
    tacacs+ enable
    tacacs-server host nnn.nnn.nnn.nnn key 0 xxxxxx
    tacacs-server host mmm.mmm.mmm.mmm key 0 xxxxx
    # Specify TACACS+ Server groups
    aaa group server tacacs+ tacgrp
    server nnn.nnn.nnn.nnn
    server mmm.mmm.mmm.mmm
    aaa authentication login default group tacgrp
    aaa authentication login console local
    # Enable TACACS+ Accounting
    aaa accounting default group tacgrp local
    end
    copy running-config startup-config
    Thanks
    MOhan

  • Scripting for Cisco MDS

    Though I know writing Scripts for Cisco MDs switches (as I don't rely on FM/DM GUI), I am wondering how to include comments in a script for better readability. Would appreciate if anyone could point me to the direction where it is been documented or how to do it.
    Thanks
    Mohan

    With regards to your questions:
    1- No, you must create the script externally to the MDS as specified in the doc listed below.
    http://www.cisco.com/univercd/cc/td/doc/product/sn5000/mds9000/1_3_1/sw_confg/cnfig.pdf
    You can however create a cron job on a host and login to the MDS via SSH providing Passwordless access to run a script. Let me know if this is something you would like to pursue.
    2- Yes, this is a feature in version 2.0(1b) which was released recently to Cisco.com, look under "Command Scheduler" in the following link.
    http://www.cisco.com/univercd/cc/td/doc/product/sn5000/mds9000/2_0/ol624901.htm

  • FC-2GB module part number for cisco 4503 switch

    Dear Sir,
    We hv a SAN switch MDS-9216 with FC-2GB ports.
    We want to connect the SAN switch to our newly installed cisco 4503 switch which modules is required in the cisco 4503 switch to connect the SAN switch FC-2GB ports.
    Regards
    Deepak

    Deepak,
    Can you explain why you want to do this?
    The Catalyst 4503 is an ethernet switch and does not support FC-2G interfaces. If you want to enable IP access to your storage, you would need an IP storage services module in your MDS 9216. This would then provide GE interfaces which you could connect to your Catalyst 4503. You could then provide IP-based hosts access to FC-connected storage using iSCSI for instance.
    Regards
    Rob.

  • Scsi device discovery in Cisco MDS switches

    I was using this device discovery to find out how many luns can be seen on that server.
    I tried to use discover scsi-target command and it does not give much useful information. and I do not want to add the OS WWNS on my LUN security in addition to HBA WWNS for the host group on the array end.
    The problem that I am having is that I can see 7 LUNs out of 9 when I connect to Cisco MDS where as in brocade I can see all the LUNs.
    I checked the LUN security and zoning and everything seems to be correct.
    If Cisco SAN OS has commands where by I can see what LUNs can be seen on the switch, that would be really helpful. But It looks like LUN/LDEV info cannot be seen through discover command.
    Please let me know how to troubleshoot this problem
    Thanks

    In the array, I tried to add switch wwn to the LUN Security and zoned the same switch wwn on the MDS. Is there anything I am missing. Thanks in advance
    But still I could not see any LUNs. When I do discover command, NLUNS shows 0.
    and the command sh scsi-target lun os win shows nothing.
    discover scsi-target vsan 21 fcid 0xea000b os win
    VSAN: 21 FCID: 0xea000b
    PRLI RSP: 0x01 SPARM: 0x0012
    SCSI TYPE: 31 NLUNS: 0
    Vendor: HITACHI Model: DISK-SUBSYSTEM Rev: 5007
    Other: 7f:00:03:12:cf:00:00:02

  • Remote Command Tool for Cisco Routers/Switches

    Is anyone aware of any tools or scripts out there which allow preconfigured commands to be remotely run again Cisco Router/Switches and display the output result?
    I'm looking for a tool which I can give our Service Desk personnel that will allow them to select from a list of commands enter a target IP Address of a router/switch and then the tool will display the vlan table or the running config of a particular switch-port so they can see if its configured on the correct data vlan or its missing its voice vlan etc.
    For example a Service Desk Operator needs to check what vlan a switch-port is on. So they open the tool, enter the switches IP address and the port number and select an option like "display a switch-ports vlan" and the tool will login into the switch in the background run a show command on the switch and then output the result.
    Thanks.

    Check out rConfig. You will be able to run multiple instances of it i.e. one instance for your standard configuration backups and another for more specific configuration downloads info like show vlan bri commands etc for service desk staff to view.
    You could also use the IOS menu function and create menus or role based access on each of your devices for your users.
    Regards
    Stephen
    ==========================
    http://www.rConfig.com 
    A free, open source network device configuration management tool, customizable to your needs!
    - Always vote on an answer if you found it helpful

  • Unable to Remove Metal Casing for Cisco 1924 Switch

    Hi Guys,
    I just bought a Cisco 1924 switch and would like to check out its insides but I can't seem to work out how to remove the metal cover.
    I have removed all the visable screws and have also checked out the Cisco Support site and Internet but considering that the 1924 switch is an end of line product, I'm finding it extremely to find any support resources for the 1924 switch.
    I don't really want to force it open as I don't want to crack or snap anything.
    Thanks all
    two5om

    Hi,
    Here you are the Catalyst 1900 Series Installation and Configuration Guide, but unfortunately it doesn't contain how to remove the metal cover, please try to softly remove it, try to move it to the back before lifting it:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/catalyst1900_2820/version9.00.00/icgf/19icinst.html
    HTH,
    Mohammed Mahmoud.

  • Apply AAA for LAN & L3 switches

    I have a RADIUS server that I want to use as a central authentication location
    I have a 3560, 3550 & 2950s. I know the 3560 can be configured with AAA, what about the other switches?
    what is the best and safe way applying it?

    for the record,
    from my ASA I can test successfully:
    ASA(config)# test aaa-server authentication vpn
    Server IP Address or name: 192.168.200.18
    Username: username
    Password: ********
    INFO: Attempting Authentication test to IP address <192.168.200.18> (timeout: 12 seconds)
    INFO: Authentication Successful
    this is the config:
    aaa-server vpn protocol radius
    aaa-server vpn host 192.168.200.18
    key ********
    same IAS server, same subnet
    I also tried configuring a new policy on IAS as described here: http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/

  • Dedicated supervisor engine slot numbers for cisco core switches

    I want to know why there is  Dedicated supervisor engine slot numbers in core switch.
    Feature
    Cisco Catalyst WS-C4503-E Chassis
    Cisco Catalyst WS-C4506-E Chassis
    Cisco Catalyst WS-C4507R+E Chassis
    Cisco Catalyst WS-C4510R+E Chassis
    Dedicated supervisor engine slot numbers
    1
    1
    3 and 4
    5 and 6 
    Please make it clear why its dedicated slot alocate for supervisor engine slot

    Hi,
    I think the reason behind a dedicated slots for Supervisors of 4500/6500 chasis is due to the architectural constraints.
    For example the Sup 720 in 6500 has 18 fabric channel (18 connections to the fabric), the line cards have only 1/2 fabric channels depending on their version. So if you have to make a supervisor independent of the slot you need to have 18 backplane  fabric channels in each slot of the chassis for the SUP to work in all slots as compared to 1/2 backplane fabric channels per slot as we have right now for the line cards. Almost same should go for the 4500. And this might come across as an architectural constraint. This is the best explanation i can think of.
    Thanks
    "Please rate the post if found useful"

  • Launch date for Cisco SB Switches

    Hi,
    I need the launch date for the following products:
    Cisco SB SG200
    Cisco SB SG300
    Can anyone provide such information? 
    Thanks,
    Tiziana
    p.s. I am opening a new discussion as I marked my previous one as correct answer by mistake and I cannot edit it.

    The earliest firmware version available for these switches were released 21-SEP-2010 for the SG300-28 and 25-JAN-2011 for the SG200-26 so these should be close to their release date one would think.  Why do you want to know when they were released?

  • Does cisco MDS 9000 switch by default set a little higher R_T_TOV?

    Hi, All:
    Not sure anyone has done LOS for cisco MDS 9000 switch before. I tried to insert code violation which is equal to 103ms but only see link reset but not NOS/OLS. is it because that Cisco MDS has default higher ? Or can we set R_T_TOV on switch?

    Hi Larry - [this|http://lists.apple.com/archives/usb/2008/Oct/msg00021.html] was the only thing I could find about transactions timing out, but since you don't have anything plugged in, it really doesn't apply. Have you tried resetting your SMU?
    If that doesn't work, run Disk Utility from your install disc and see what it comes up with. Your suspicion that the MB may be faulty is probably correct, and if you are still within the 90 day warrant period, you should call the repair place and have them replace it yet again.

  • Power Cable for Cisco 4900M in China

    Hello,
    Recently I want place to place an order for Cisco  4900M switch for a project in China. But I couldn't find the part number  for the power cable in this country. The nearest country I could find is  CAB-AS3112-C15-AU which is Australia.
    Please advise it would alright if I use this part number....
    Thanks,

    You can read on the Internet how the Chinese sockets are made, and order an compatible cable.

  • Monitoring for Cisco UCS/Cisco Catalyst/EMC VNX/VMware environment

    hi
    I am not sure whether this is the right place for this post, but I am giving it a shot anyway.
    I am looking for a monitoring solution for a Cisco UCS/Cisco Catalyst/EMC VNX/VMware environment and I cannot seem to find 1 product that does it all.
    Do any of you Guys have experience with a such product?
    thanks...

    I have used PRTG for Cisco Routers/Switch, Vmware  and with Cisco UCS. As for the storage part I'm not sure.
    I recommend prtg because its user friendly and web based management.
    Please Rate.

  • Using Cisco MDS 9148 switch for switching and routing

    Hi Gurus,
    Can you please advice me! Can i configure interface trunking, routing and dhcp services on the Cisco MDS 9148 switch?
    Thanks for your response!!

    Tommy,
    MDS9148 is a Storage SAN Fibre Channel switch, it doesn't support Ethernet, IP, VLANs, VLAN trunking, 802.1Q, IP routing, DHCP. It's meant for Fibre Channel connectivity between Fibre Channel server HBAs and Fibre Channel storage.
    Roman

  • Cisco MDS 9418 switch doubt

    Hi Team,
    We have an issue, whether the cisco MDS 9418 switch supports FCIP feature.
    We are planning to migrate the data from our old data center over WAN to the EMC VNX storage box in other location.
    In our old data center we have 2 FC cisco switches connected to the EMC clariion storage array. Inorder to replicate data from clariion box to EMC VNX box over WAN ,it can be done via FCIP.
    I wanted to know if we can use insert the FCIP converters into these MDS 9418 switch or do we need to have separate FCIP converters.
    Do we need FCIP converters on both sides for doing replication over FCIP.
    For clear understanding please see the attachment.
    Will waiting for your response......
    Regards,
    Pranav.

    Hi,
    Since the 9148 does not have IP interfaces, something will be needed to tunnel the FC into IP (FCIP) such as an MDS 9222i, which has both FC interfaces and GigE interfaces and supports FCIP.
    Regards,
    David

Maybe you are looking for

  • How can I turn off the vibration notifications when the battery is full and the phone is left on charger i.e. overnight

    I charge my 5s phone at night, and about halfway through the night my phone starts to vibrate to notify me that it is done charging which is great but it constantly wakes me up as it goes on all night. is there a setting I am missing to turn this off

  • ABAP query not returning correct number of records

    Hi, I have created an ABAP Query using logical database VFV and nodes VBRK, VBUK and VBRP. But, after entering values for Sales Organisation ( VBRK-VKORG ), Distribution channel ( VBRK-VTWEG ) and Date ( VBRK-FKDAT), the number of records that I get

  • Widget text not properly displaying

    I have been trying to get a basic widget to work using widgetfactory API on Captivate 5.  Most of the functionality is there however the two text boxes in the properties pannel should be populating two text fields at run time & preview.  Instead, the

  • Enterprise service  on ERP 2005

    Hi all, Past contribution URL to Enterprise Service Repository There's no enterprise service repository on ERP 2005, but I'd like to research the content of all Enterprise Service on ERP2005. How can I solve it? Regards, Mami Kudo

  • New computer wants me to combine Skype with Micros...

    I have both a personal and business account for Skype. I use the business account most. In the process of setting up the business account on my new computer, I was asked for Microsoft account login info. After entering that, it now wants to merge eve