Help in command aaa authentication

Similar Messages

• Aaa authentication enable command

  Hi,
  If I configure following command, how can I enter enable user name and password to get into enable prompt? Can someone explain to me how to enable tacacs autherntication for enable access?
  "aaa authentication enable default group tacacs+ enable",
  TIA
  krishna

  Assuming that your IOS device is otherwise correctly configured for TACACS (has the proper TACACS server address, proper TACACS key) and that the TACACS server is configured to recognize and process this machine as a client for authentication, then using this command:
  aaa authentication enable default group tacacs+ enable
  will cause the IOS device to send an authentication request to the TACACS server when someone attempts to access privilege mode. If the TACACS server does not respond the IOS device will use the local enable secret (or password) to authenticate enable mode. This is the only thing that you must do on the IOS device. On the TACACS server you must be sure that the user ID is correctly configured for access to this device and the user is checked for level 15 access.
  HTH
  Rick

• Aaa authentication enable default group tacacs+ enable

  I am implementing CSACS 4.0. First on the client, I will apply aaa authenticatio/ authorization under vty. The issure if I use the followin command
  aaa authentication enable default group tacacs+ enable
  what will happen if I login via console? Will I be required to enter any username/password?
  Below is my configuration
  aaa new-model
  aaa authentication login authvty group TACACS + local
  aaa authentication enable default group tacacs+ enable
  aaa authorization commands 15 authvty TACACS+ local
  TACACS-server host IP
  Tacacs-server key key
  Ip tacacs source-interface VLAN 3
  aaa accounting send stop-record authentication failure
  aaa accounting delay-start
  aaa accounting exec authvty start-stop group tacacs+
  aaa accounting commands 15 authvty start-stop group tacacs+
  aaa accounting connection authvty start-stop group tacacs+
  line vty 0 15
  login authentication authvty
  authorization commands 15 authvty
  accounting connection authvty
  accounting commands 15 authvty
  accunting exec authvty
  Any suggestion will be appreciated!

  It should work because this is a message.banner prompt everytime you try to login (console/vty). I have it configured on my router.
  If you have banner motd, it will be displayed as well (see below). So I ahve to remove it to get only the aaa banner & prompt being displayed:
  *** Username: cisco, Password: cisco (priv 15f - local) ****
  Unauthorized use is prohibited.
  Enter your name here: user1
  Enter your password now:
  Router#
  The config more or less looks like:
  aaa new-model
  aaa authentication banner ^CUnauthorized use is prohibited.^C
  aaa authentication password-prompt "Enter your password now:"
  aaa authentication username-prompt "Enter your name here:"
  aaa authentication login default group radius
  aaa authentication login CONSOLE local
  HTH
  AK

• AAA Authentication & Accounting using Tacacs+ Commands order

  In the cisco Remote Access Companion guide book page 394 we have got this configuration lines :
  RTA(config)#tacacs-server host 192.168.0.11
  RTA(config)#tacacs-server host 192.168.0.12
  RTA(config)#tacacs-server key topsecret
  RTA(config)#aaa new-model
  RTA(config)#aaa authentication login default group tacacs+
  If I want to add to the configuration above ,the command below :
  RTA(config)#aaa accounting connection defult stop-start tacacs+
  Is it necessary for the above lines to be in a specific order when I configure RTA ?

  The first tacacs server listed will the first tacacs server queried. I would make may primary ACS the first listed. Everything else looks good.

• Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

  I have a Nexus 7010 running
  Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
  >>ip radius source-interface mgmt 0
  >>radius-server key XXXXX
  >>radius-server host X.X.X.X key XXXXX authentication accounting
  >>radius-server host X.X.X.X key XXXXX authentication accounting aaa
  >>authentication login default group Radius_Group aaa authentication
  >>login console local aaa group server radius Radius_Group
  >>    server X.X.X.X
  >>    server X.X.X.X
  >>    source-interface mgmt0
  Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
  shell:roles="vdc-admin" in the  Attribute Value field in the RADIUS server
  Does anyone know if this works????
  Thanks

  I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
  Attribute: cisco-av-pair
  Requirement: Mandatory
  Value: shell:roles*"network-admin vdc-admin"
  For more information take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
  Hope this helps
  Thank you for rating helpful posts!

• AAA authentication / Radius-Servers

                     Hello cisco folks,
  Have a technical question I would like to ask. I'm able to setup my 3750e switch to login through a radius server with my company user id and password but would like to be able to set it up that when I log in it drops me on the enable prompt. Right now I have to type >en.
  Then the enable password.  Thanks in advance.
  Paul

  Hi Bro
  Yes, this can be achieved in Cisco IOS devices but not in Cisco ASA. In Cisco ASA, you still have to type the "enable" command.
  Just ensure you've the configuration shown below, and all should be good;
  enable password cisco
  aaa new-model
  aaa authentication login VTY group radius local
  aaa authentication login CONSOLE local
  aaa authentication enable default group radius enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec VTY group radius local
  username ram privilege 15 password 0 cisco
  username cisco privilege 7 password 0 cisco
  interface FastEthernet0/0
  ip address 10.0.0.2 255.255.255.0
  ip route 0.0.0.0 0.0.0.0 10.0.0.1
  ip radius source-interface FastEthernet0/0
  radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco
  privilege interface level 7 shutdown
  privilege interface level 7 ip address
  privilege interface level 7 ip
  privilege interface level 7 no shutdown
  privilege interface level 7 no ip address
  privilege interface level 7 no ip
  privilege interface level 7 no
  privilege configure level 7 interface
  privilege configure level 7 shutdown
  privilege configure level 7 ip
  privilege configure level 7 no interface
  privilege configure level 7 no shutdown
  privilege configure level 7 no ip
  privilege configure level 0 no
  privilege exec level 7 configure terminal
  privilege exec level 7 configure
  privilege exec level 7 undebug ip rip
  privilege exec level 7 undebug ip
  privilege exec level 7 undebug all
  privilege exec level 7 undebug
  privilege exec level 7 debug ip rip
  privilege exec level 7 debug ip
  privilege exec level 7 debug all
  privilege exec level 7 debug
  line con 0
  authorization exec VTY
  login authentication VTY
  line aux 0
  line vty 0 4
  authorization exec VTY
  login authentication VTY
  end
  Note: Ensure your user ID in your Radius server has the correct av-pair parameters shell:priv-lvl=15
  P/S: if you think this comment is helpful, please do rate it nicely :-)

• Cisco Nexus AAA authentication and console access

  We have nexus 7k with AAA authentication working now i have an issue i can't login using console port because my logins are rejected.Is there anyway we can login into console with local login details or we have to use ACS server (AAA) logins when connected to console (while ACS server is still reachable).
  My main question is i want to login using console port while ACS server is still reachable is it possible?

  Perhaps I am not understanding some parts of the original post and if so I would appreciate clarification of what I missed. But it seems to me that the main question in the original post is whether the original poster would be able to login on the console. And it seems to me that the high level answer is that yes login to the console should be possible. The details of how that would work are dependent on details of how the N7K is configured. If the original poster would provide some details of the configuration (especially all of the aaa authentication commands and the configuration of line con 0) we would be in a much better position to provide helpful answers.
  HTH
  Rick

• Aaa authentication enable console (server_name) password issue

  Here is the problem I am experiencing and I hope someone out there is able to help;
  I have a ASA5510 (running software Version 8.0(3)). I have enabled remote authentication to our company's TACAC server (which is running TACAC open source supplied by Cisco).
  The problem is as follows;
  I can telnet to the appliance remote and using my username and password (configured on the TACAC server) I am authenticated. But after entering enable - I am prompted with the password prompt. But I can not get pass this prompt. I have tried the same password as I previous enter at the telnet prompt and failed, the local enable password fails as well. Any suggestion.
  aaa-server (server_name) protocol tacacs+
  aaa-server (server_name) (interlinkport) host (Address)
  key (password)
  aaa authentication enable console (server_name) LOCAL
  aaa authentication enable console (server_name) LOCAL
  aaa authentication http console (server_name) LOCAL
  aaa authentication serial console (server_name) LOCAL
  aaa authentication ssh console (server_name) LOCAL
  aaa authentication telnet console (server_name) LOCAL
  aaa accounting command privilege 15 (server_name)
  aaa authorization exec authentication-server

  I think I can help you here since I've been using Cisco
  Freeware TACACS+ for almost 7 years now. I am not
  an expert, just enough to be dangerous.
  Since the code is open-source, each company uses
  differently; however, there is one thing that will
  always true. That would be the the enable.c file,
  which is a C program. You would need to modify
  this file so that EVERYONE can have his/her own
  enable password, just like Cisco ACS running on
  Windows platforms.
  the configuration file would look something like this:
  accounting file = /var/log/tac_plus.log
  key = zFgGkIooIsZ.Q
  user = cciesec {
  member = admin
  name = "ccie security"
  login = cleartext "cciesec"
  user = $cciesec$ {
  member = admin
  name = "ccie security"
  login = cleartext "cciesec1"
  group = admin {
  default service = permit
  On the Pix:
  aaa-server NEO protocol tacacs+
  aaa-server NEO (outside) host 192.168.15.10
  timeout 5
  key cciesec
  aaa authentication ssh console NEO LOCAL
  aaa authentication enable console NEO LOCAL
  Here is the login sequence:
  [root@dca2-LinuxES root]# ssh -l cciesec 192.168.0.25
  The authenticity of host '192.168.0.25 (192.168.0.25)' can't be established.
  RSA key fingerprint is c2:48:15:85:92:7f:56:15:a8:0f:80:d9:88:50:fd:1c.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '192.168.0.25' (RSA) to the list of known hosts.
  [email protected]'s password:
  Type help or '?' for a list of available commands.
  CiscoPix> en
  Password: ********
  CiscoPix#
  In other words, my initial password is "cciesec" and my enable password
  is "cciesec1". Another user "tom" will have his own login and enable
  password.
  Simple enough?

• Aaa authentication

  I'm trying to set up authentication using a PIX 525 for some of our web servers. In preparation, I'm testing it on a PIX 515. For testing purposes, I'm not using a RADIUS or TACACS server.
  I've implemented the following commands:
  aaa-server LOCAL protocol local
  access-list authlist permit tcp any any eq www
  aaa authentication match authlist outside LOCAL
  When these commands are used, authentication works as advertised. When I change the access-list to:
  access-list authlist permit tcp any host 192.168.1.2 eq www
  where 192.168.1.2 is a webserver, authentication does not occur. (We want to require authentication for some web servers but not others.) I've tried variations of the commmand but none has worked. The PIX just passes all traffic.
  Any ideas?
  Noah

  Hi,
  Solution lies in, from where you are trying to access the server? and where you have applied the authentication to occur?
  192.168.1.2 definitely doesn't appears to be a global ip (if you are not working in a test scenario)
  outside in the authentication statement means that we want authentication to happen for all the traffic coming in on Outside interface to authenticate.
  Little topology detail will help.
  Regards,
  Prem

• Aaa authentication enable console issue

  I have an ASA5505 running 8.2(5). It is configured with
  aaa authentication telnet console xxxxxx LOCAL
  and I am able to use my username and password to telnet in, but I then have to use the local enable password to get to privilege exec mode.
  I tried configuring aaa authentication enable console xxxxxx LOCAL so that when I try to access privilege exec mode,I would be prompted for my password instead of the enable password, but it doesn't work.
  I also tried removing the aaa authentication telnet console xxxxxx LOCAL and telenetted in with the local passwd.
  I was prompted for a username and password when trying to get to priv exec mode, but again, the credentials did not work.
  Could there be something that needs to be changed on the ACS server to make this work?
  Thanks.

  Using TACACS+
  No command authorization rules are being used
  When I add the aaa authentication enable console xxxxxxxx LOCAL command,
  and use login instead of enable, I get Login failed if I try to use my credentials.
  However, if I use login with the locally configured username and password, it lets me in.
  Here is the config (without the aaa authentication enable console command):
  User Access Verification
  Username: xxx/xxxxxxxxxx
  Password: ************
  Type help or '?' for a list of available commands.
  FW> en
  Password: ********
  FW# sh ru
  : Saved
  ASA Version 8.2(5)
  terminal width 511
  hostname xxxxxxxx
  enable password *********** encrypted
  passwd *********** encrypted
  names
  interface Ethernet0/0
  switchport access vlan xxx
  interface Ethernet0/1
  switchport access vlan xxx
  shutdown
  interface Ethernet0/2
  switchport access vlan xxx
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlanxxx
  nameif inside
  security-level 100
  ip address x.x.x.x x.x.x.x
  interface Vlanxxx
  nameif OUtside
  security-level 0
  ip address x.x.x.x x.x.x.x
  ftp mode passive
  same-security-traffic permit intra-interface
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object udp
  protocol-object tcp
  group-object TCPUDP
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object udp
  protocol-object tcp
  group-object TCPUDP
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_4
  protocol-object ip
  protocol-object udp
  protocol-object tcp
  access-list Outside_access_in extended permit ip any any
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a
  ny any inactive
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a
  ny any
  access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_1
  any any inactive
  access-list OUtside_access_in extended permit icmp any any
  access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_3
  any any
  pager lines 24
  logging enable
  logging asdm informational
  logging host inside x.x.x.x
  mtu inside 1500
  mtu OUtside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  access-group inside_access_in in interface inside
  access-group OUtside_access_in in interface OUtside
  route inside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server xxxxxxxxx protocol tacacs+
  aaa-server xxxxxxxxx (inside) host x.x.x.x
  key *****
  aaa-server xxxxxxxxx (inside) host x.x.x.x
  key *****
  aaa-server xxxxxxxxx (inside) host x.x.x.x
  key *****
  aaa authentication http console ******* LOCAL
  aaa authentication ssh console ******* LOCAL
  aaa authentication telnet console ******* LOCAL
  aaa local authentication attempts max-fail 5
  http server enable
  http x.x.x.x x.x.x.x inside
  http x.x.x.x x.x.x.x inside
  snmp-server host inside x.x.x.x community ***** version 2c
  snmp-server host OUtside x.x.x.x community ***** version 2c
  snmp-server host inside x.x.x.x community ***** version 2c
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet x.x.x.x x.x.x.x inside
  telnet x.x.x.x x.x.x.x inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config OUtside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username ******* password ************** encrypted privilege 15
  username ******* password ************** encrypted privilege 15
  username ******* password ************** encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:
  : end
  FW#
  Thanks.

• ACE 4700 and Cisco ACS aaa authentication

  ACE version Software
  loader: Version 0.95
  system: Version A1(7b) [build 3.0(0)A1(7b)
  Cisco ACS version 4.0.1
  I am trying to authenticate admin users with AAA authentication for ACE management.
  This is what I've done:
  ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
  warning: numeric key will not be encrypted
  ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
  ACE-lab/Admin(config-tacacs+)# server ?
  <A.B.C.D> TACACS+ server name
  ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
  can not find the TACACS+ server
  specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
  ACE-lab/Admin(config-tacacs+)#
  Why am I getting this error? I have full
  connectivity between the ACE and the ACS
  server. Furthermore, the ACS server
  works fine with other Cisco IOS devices.
  Please help. Thanks.

  Thanks. Now I have another problem. I CAN
  log into the ACE via tacacs+ account(s).
  However, I get error when I try going into
  configuration mode:
  ACE-lab login: ngx1
  Password:
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  ACE-lab/Admin# conf t
  ^
  % invalid command detected at '^' marker.
  ACE-lab/Admin#
  The ngx1 account can access other Cisco
  routers/switches just fine and can go into
  enable mode just fine. Only issue on the ACE.
  Any ideas? Thanks.

• Prime 1.4 - no aaa authentication tacacs+ server

  Anybody know the equivalent command "no aaa authentication tacacs+ server" on PI 1.4. I saw this command on PI 2.2 but I can´t find something similar on 1.4.
  Thanks in advanced.

  Check the following Command line manual for PI 1.4
  http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/1-4/command/reference/cli14.html
  Apart from that I found this ,let me know if it helps.
  Select a command
      Add TACACS+ Server—See the “Add TACACS+ Server” section.
      Delete TACACS+ Server—Select a server or servers to be deleted, select this command, and click Go to delete the server(s) from the database.
  Add TACACS+ Server
  Choose Administration > AAA > TACACS+ from the left sidebar menu to access this page. From the Select a command drop-down list choose Add TACACS+ Server , and click Go to access this page.
  This page allows you to add a new TACACS+ server to Prime Infrastructure.
      Server Address—IP address of the TACACS+ server being added.
      Port—Controller port.
      Shared Secret Format—ASCII or Hex.
      Shared Secret—The shared secret that acts as a password to log in to the TACACS+ server.
      Confirm Shared Secret—Reenter TACACS+ server shared secret.
      Retransmit Timeout—Specify retransmission timeout value for a TACACS+ authentication request.
      Retries—Number of retries allowed for authentication request. You can specify a value between 1 and 9.
      Authentication Type—Two authentication protocols are provided. Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).
  Command Buttons
      Submit
      Cancel
  Note • Enable the TACACS+ server with the AAA Mode Settings. See the “Configuring AAA Mode” section.
      You can add only three servers at a time in Prime Infrastructure.

• AAA authentication not working and 'default' method list

  Guys,
  I hope someone can help me here in troubleshooting AAA issue. I have copied configuration and debug below. The router keeps using local username/password even though ACS servers are reachable and working. From debugs it seems it keeps using 'default' method list ignoring TACACS config. Any help will be appreciated
  Config
  aaa new-model
  username admin privilege 15 secret 5 xxxxxxxxxx.
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa authorization reverse-access default group tacacs+ local
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa session-id common
  tacacs-server host x.x.x.x
  tacacs-server host x.x.x.x
  tacacs-server host x.x.x.x
  tacacs-server host x.x.x.x
  tacacs-server directed-request
  tacacs-server key 7 0006140E54xxxxxxxxxx
  ip tacacs source-interface Vlan200
  Debugs
  002344: Dec  5 01:36:03.087 ICT: AAA/BIND(00000022): Bind i/f
  002345: Dec  5 01:36:03.087 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
  002346: Dec  5 01:36:11.080 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
  core01#
  002347: Dec  5 01:36:59.404 ICT: AAA: parse name=tty0 idb type=-1 tty=-1
  002348: Dec  5 01:36:59.404 ICT: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
  002349: Dec  5 01:36:59.404 ICT: AAA/MEMORY: create_user (0x6526934) user='admin' ruser='core01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
  002350: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port='tty0' list='' service=CMD
  002351: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user='admin'
  002352: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV service=shell
  002353: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd=configure
  002354: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=terminal
  002355: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=<cr>
  002356: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found list "default"
  002357: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=tacacs+ (tacacs+)
  002358: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): user=admin
  002359: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV service=shell
  002360: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd=configure
  002361: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=terminal
  002362: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=<cr>
  Enter configuration commands, one per line.  End with CNTL/Z.
  core01(config)#
  002363: Dec  5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = ERROR
  002364: Dec  5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=LOCAL
  002365: Dec  5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = PASS_ADD
  002366: Dec  5 01:37:04.261 ICT: AAA/MEMORY: free_user (0x6526934) user='admin' ruser='core01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15
  core01(config)#

  Are the tacacs+ servers reachable using the source vlan 200. Also in the tacacs+ server can you check if the IP address for this device is correctly configured and also please check the pwd on both the server and this device match.
  As rick suggested sh tacacs would be good as well. That would show failures and successes
  HTH
  Kishore

• Fixed ip for vpn user- aaa authenticated

  Hi all,
  i am using asa 5520 as my vpn box. All vpn users login to vpn box associated with a aaa server. The authenticaltion takes place on aaa server. If i use local database for user login, i can assign fixed static ip to the user via its vpn properties. But now i am using aaa for authentication and i want to assign fixed statix IP for some users. How can i do this?

  with local aaa authentication
  go to the user atributes
  like username vpnuser attributes
  vpn-framed-ip-address 192.168.50.1 255.255.255.255
  this will give that ip to that user
  if u are useing cisco ACS
  under the user setting
  go to :
  Assign static IP address-If a specific IP address should be used for this user, click this option and type the IP address in the text box. The IP address assignment in User Setup overrides the IP address assignment in Group Setup
  and the following link give step-by step intstruction to configure cisco ACS AAA
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e6a6.html
  good luck
  please, if helpful Rate

• LMS 3.2 - Problem with inventory of switches using AAA authentication

  Hi all,
  we want to migrate our network equpiment from local authentication (telnet password, enable password) to AAA authentication (Cisco ACS server - username, password for priv level 15). The network devices are managed with CiscoWorks 3.2 and inventory works fine when device login credentials are telnet password, enable password.
  I have configured a switch for testing the authentication to the ACS server, and tested the logon manually. After the successful test I reconfigured the device credentials in CiscoWorks and checked it by a device export with credentials. The credentials in CW were OK, but from this time CiscoWorks could't pull an inventory of the switch any more. Every inventory job failed.
  Any help would be appreciated. Thanks a lot.
  Regards
  fred

  Joe,
  excuse me, I've made a mistake. It's the malfunction of the configuration *archiving* which depends on telnet services. I have included the trace file of the failed CW archiving job. I can see that CW receives the banner and the username prompt, but doesn't send back any telnet credentials. I have also checked the correctness of the device credentials by a DCR export.
  fred