Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1034
Views
0
Helpful
2
Replies

AAA problem via terminal server

russell.sage
Level 1
Level 1

‎12-17-2021 07:12 AM

Hi

I have the following AAA config and this works fine with and without the TACACS server (Cisco ISE 2.6 Device Admin). My problem seems to be with the few devices we have connected to a terminal server. Can reach the target router through the terminal server and get the router> prompt. Attempt to enter exec mode and no matter what password I use , tacacs, line, enable all are rejected as unauthorised. If I console directly onto the device I can enter the line and enable password and there is no issue. Any idea - I have attempted to debug TACACS and AAA authenticate and authorise but unable to see the issue. Tried comparing the ISE logs for direct and terminal server access and again nothing obvious.

 

aaa new-model
!
!
aaa group server tacacs+ TACACS_GROUP
server name TACACS_SERVER_1
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
!
aaa authentication login default group TACACS_GROUP line
aaa authentication login no_tacacs enable
aaa authentication enable default group TACACS_GROUP enable
aaa authorization exec default group TACACS_GROUP if-authenticated
aaa authorization commands 1 default group TACACS_GROUP none
aaa authorization commands 15 default group TACACS_GROUP none
aaa accounting exec default start-stop group TACACS_GROUP
aaa accounting commands 1 default start-stop group TACACS_GROUP
aaa accounting commands 15 default start-stop group TACACS_GROUP
aaa accounting connection default start-stop group TACACS_GROUP
aaa accounting system default start-stop group TACACS_GROUP

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎12-17-2021 01:05 PM

Interesting. I would also not expect any difference in behaviour between an async connection (reverse telnet to terminal server to reach the console port), or plugging directly into the console port.  You are 100% sure you did a reverse telnet to the correct device? Async cables and their numbering can often be confusing (offset 2000 + line number)

 

Have you configured anything on the line con 0?

 

Can you share your:

show run | section line
0 Helpful

russell.sage
Level 1
Level 1
In response to Arne Bier

‎01-04-2022 12:04 AM

Apologies for the delayed response. I was on leave

 

line con 0
exec-timeout 5 0
password ********************************
escape-character 3
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class Secured_Remote_Access in vrf-also
exec-timeout 5 0
password **************************************
logging synchronous
length 0
transport input ssh
escape-character 3
line vty 5 15
access-class Secured_Remote_Access in vrf-also
exec-timeout 5 0
password **************************************
logging synchronous
transport input all
escape-character 3

0 Helpful
Customers Also Viewed These Support Documents