Mailing List Archive

Do you have the control-plane set up?

tacacs source-interface Loopback100 vrf default
tacacs-server host 11.11.11.11 port 49
key 7 xxxxxxxxxxxxxxxxxxxxxxxx
!
tacacs-server host 22.22.22.22 port 49
key 7 xxxxxxxxxxxxxxxxxxxxxxxx
!

aaa accounting exec default start-stop group acs-tacacs
aaa accounting system default start-stop group acs-tacacs
aaa accounting commands default start-stop group acs-tacacs
aaa group server tacacs+ acs-tacacs
server 11.11.11.11
server 22.22.22.22
!
aaa authorization exec default group acs-tacacs local
aaa authorization commands default group acs-tacacs none
aaa authentication login default group acs-tacacs local

line console
exec-timeout 10 0
!
line default
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
exec-timeout 30 0
session-timeout 30
transport input ssh
!
vty-pool default 0 20

control-plane
management-plane
inband
interface all
allow all peer
address ipv4 11.12.12.12
address ipv4 11.13.13.13
address ipv4 11.14.14.14




On Thu, Dec 3, 2020 at 11:33 AM Eric Van Tol <eric@atlantech.net> wrote:

> Hi all,
> I’m going nuts here trying to get my AAA set up on an NCS. The goal is to
> authenticate against TACACS on VTY lines but either use the local user
> database or line/enable for console access and I cannot get it right.
> Sometimes my VTY authentication fails the first time and it requires you to
> put in your password a second time, even though the TACACS servers are
> definitely available. I cannot get console access to work properly at all.
> I’m running XR 7.1.1. Here’s the aaa portion of the config:
>
> tacacs source-interface Loopback1 vrf default
> tacacs-server host 192.168.45.126 port 49
> key 7 ******
> single-connection
> !
> tacacs-server host 192.168.46.126 port 49
> key 7 ******
> timeout 3
> single-connection
> !
> username admin
> group root-lr
> group cisco-support
> secret 10 $secretpass
> !
> aaa group server tacacs+ TACACS
> server 192.168.45.126
> server 192.168.46.126
> !
> aaa authorization exec CONSOLE local
> aaa authorization exec default group TACACS local
> aaa authentication login CONSOLE local line
> aaa authentication login default group TACACS line!
> !
> line console
> password 7 ******
> authorization exec CONSOLE
> login authentication CONSOLE
> !
> line default
> password 7 ******
> timeout login response 30
> authorization exec default
> login authentication default
> exec-timeout 0 0
> access-class ingress access-protect
> session-timeout 120
> transport input ssh
> !
>
> I’ve tried different permutations of the line console config and can’t get
> the right combination. Can someone point me in the right direction here?
>
> Thanks in advance,
> evt
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

No, all I have is:

control-plane
management-plane
inband
interface TenGigE0/0/0/27
allow all
!
interface TenGigE0/0/0/23.1550
allow all
!
interface TenGigE0/0/0/25.1550
allow all
!
!

What exactly does this do? I mean, I have an inkling, but I wouldn’t expect TACACS to work at all if I was missing a config to allow it to respond to the router.

From: Scott Miller <fordlove@gmail.com>
Date: Thursday, December 3, 2020 at 1:52 PM
To: Eric Van Tol <eric@atlantech.net>
Cc: "cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] AAA on IOS-XR (NCS540)


EXTERNAL - Do not click links or open attachments from an unverified source/sender.
Do you have the control-plane set up?

tacacs source-interface Loopback100 vrf default
tacacs-server host 11.11.11.11 port 49
key 7 xxxxxxxxxxxxxxxxxxxxxxxx
!
tacacs-server host 22.22.22.22 port 49
key 7 xxxxxxxxxxxxxxxxxxxxxxxx
!

aaa accounting exec default start-stop group acs-tacacs
aaa accounting system default start-stop group acs-tacacs
aaa accounting commands default start-stop group acs-tacacs
aaa group server tacacs+ acs-tacacs
server 11.11.11.11
server 22.22.22.22
!
aaa authorization exec default group acs-tacacs local
aaa authorization commands default group acs-tacacs none
aaa authentication login default group acs-tacacs local

line console
exec-timeout 10 0
!
line default
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
exec-timeout 30 0
session-timeout 30
transport input ssh
!
vty-pool default 0 20

control-plane
management-plane
inband
interface all
allow all peer
address ipv4 11.12.12.12
address ipv4 11.13.13.13
address ipv4 11.14.14.14



On Thu, Dec 3, 2020 at 11:33 AM Eric Van Tol <eric@atlantech.net<mailto:eric@atlantech.net>> wrote:
Hi all,
I’m going nuts here trying to get my AAA set up on an NCS. The goal is to authenticate against TACACS on VTY lines but either use the local user database or line/enable for console access and I cannot get it right. Sometimes my VTY authentication fails the first time and it requires you to put in your password a second time, even though the TACACS servers are definitely available. I cannot get console access to work properly at all. I’m running XR 7.1.1. Here’s the aaa portion of the config:

tacacs source-interface Loopback1 vrf default
tacacs-server host 192.168.45.126 port 49
key 7 ******
single-connection
!
tacacs-server host 192.168.46.126 port 49
key 7 ******
timeout 3
single-connection
!
username admin
group root-lr
group cisco-support
secret 10 $secretpass
!
aaa group server tacacs+ TACACS
server 192.168.45.126
server 192.168.46.126
!
aaa authorization exec CONSOLE local
aaa authorization exec default group TACACS local
aaa authentication login CONSOLE local line
aaa authentication login default group TACACS line!
!
line console
password 7 ******
authorization exec CONSOLE
login authentication CONSOLE
!
line default
password 7 ******
timeout login response 30
authorization exec default
login authentication default
exec-timeout 0 0
access-class ingress access-protect
session-timeout 120
transport input ssh
!

I’ve tried different permutations of the line console config and can’t get the right combination. Can someone point me in the right direction here?

Thanks in advance,
evt

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

This isn't at typo is it?

aaa authentication login default group TACACS line!

should it be
aaa authentication login default group TACACS line <<< no !

On Thu, Dec 3, 2020 at 2:13 PM Eric Van Tol <eric@atlantech.net> wrote:

> No, all I have is:
>
> control-plane
> management-plane
> inband
> interface TenGigE0/0/0/27
> allow all
> !
> interface TenGigE0/0/0/23.1550
> allow all
> !
> interface TenGigE0/0/0/25.1550
> allow all
> !
> !
>
> What exactly does this do? I mean, I have an inkling, but I wouldn’t
> expect TACACS to work at all if I was missing a config to allow it to
> respond to the router.
>
> From: Scott Miller <fordlove@gmail.com>
> Date: Thursday, December 3, 2020 at 1:52 PM
> To: Eric Van Tol <eric@atlantech.net>
> Cc: "cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net>
> Subject: Re: [c-nsp] AAA on IOS-XR (NCS540)
>
>
> EXTERNAL - Do not click links or open attachments from an unverified
> source/sender.
> Do you have the control-plane set up?
>
> tacacs source-interface Loopback100 vrf default
> tacacs-server host 11.11.11.11 port 49
> key 7 xxxxxxxxxxxxxxxxxxxxxxxx
> !
> tacacs-server host 22.22.22.22 port 49
> key 7 xxxxxxxxxxxxxxxxxxxxxxxx
> !
>
> aaa accounting exec default start-stop group acs-tacacs
> aaa accounting system default start-stop group acs-tacacs
> aaa accounting commands default start-stop group acs-tacacs
> aaa group server tacacs+ acs-tacacs
> server 11.11.11.11
> server 22.22.22.22
> !
> aaa authorization exec default group acs-tacacs local
> aaa authorization commands default group acs-tacacs none
> aaa authentication login default group acs-tacacs local
>
> line console
> exec-timeout 10 0
> !
> line default
> password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> exec-timeout 30 0
> session-timeout 30
> transport input ssh
> !
> vty-pool default 0 20
>
> control-plane
> management-plane
> inband
> interface all
> allow all peer
> address ipv4 11.12.12.12
> address ipv4 11.13.13.13
> address ipv4 11.14.14.14
>
>
>
> On Thu, Dec 3, 2020 at 11:33 AM Eric Van Tol <eric@atlantech.net<mailto:
> eric@atlantech.net>> wrote:
> Hi all,
> I’m going nuts here trying to get my AAA set up on an NCS. The goal is to
> authenticate against TACACS on VTY lines but either use the local user
> database or line/enable for console access and I cannot get it right.
> Sometimes my VTY authentication fails the first time and it requires you to
> put in your password a second time, even though the TACACS servers are
> definitely available. I cannot get console access to work properly at all.
> I’m running XR 7.1.1. Here’s the aaa portion of the config:
>
> tacacs source-interface Loopback1 vrf default
> tacacs-server host 192.168.45.126 port 49
> key 7 ******
> single-connection
> !
> tacacs-server host 192.168.46.126 port 49
> key 7 ******
> timeout 3
> single-connection
> !
> username admin
> group root-lr
> group cisco-support
> secret 10 $secretpass
> !
> aaa group server tacacs+ TACACS
> server 192.168.45.126
> server 192.168.46.126
> !
> aaa authorization exec CONSOLE local
> aaa authorization exec default group TACACS local
> aaa authentication login CONSOLE local line
> aaa authentication login default group TACACS line!
> !
> line console
> password 7 ******
> authorization exec CONSOLE
> login authentication CONSOLE
> !
> line default
> password 7 ******
> timeout login response 30
> authorization exec default
> login authentication default
> exec-timeout 0 0
> access-class ingress access-protect
> session-timeout 120
> transport input ssh
> !
>
> I’ve tried different permutations of the line console config and can’t get
> the right combination. Can someone point me in the right direction here?
>
> Thanks in advance,
> evt
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net<mailto:
> cisco-nsp@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Yes, that was a copy-paste typo.

From: Aaron <dudepron@gmail.com>
Date: Thursday, December 3, 2020 at 2:18 PM
To: Eric Van Tol <eric@atlantech.net>
Cc: Scott Miller <fordlove@gmail.com>, "cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] AAA on IOS-XR (NCS540)


EXTERNAL - Do not click links or open attachments from an unverified source/sender.
This isn't at typo is it?

aaa authentication login default group TACACS line!

should it be
aaa authentication login default group TACACS line <<< no !

On Thu, Dec 3, 2020 at 2:13 PM Eric Van Tol <eric@atlantech.net<mailto:eric@atlantech.net>> wrote:
No, all I have is:

control-plane
management-plane
inband
interface TenGigE0/0/0/27
allow all
!
interface TenGigE0/0/0/23.1550
allow all
!
interface TenGigE0/0/0/25.1550
allow all
!
!

What exactly does this do? I mean, I have an inkling, but I wouldn’t expect TACACS to work at all if I was missing a config to allow it to respond to the router.

From: Scott Miller <fordlove@gmail.com<mailto:fordlove@gmail.com>>
Date: Thursday, December 3, 2020 at 1:52 PM
To: Eric Van Tol <eric@atlantech.net<mailto:eric@atlantech.net>>
Cc: "cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>" <cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>>
Subject: Re: [c-nsp] AAA on IOS-XR (NCS540)


EXTERNAL - Do not click links or open attachments from an unverified source/sender.
Do you have the control-plane set up?

tacacs source-interface Loopback100 vrf default
tacacs-server host 11.11.11.11 port 49
key 7 xxxxxxxxxxxxxxxxxxxxxxxx
!
tacacs-server host 22.22.22.22 port 49
key 7 xxxxxxxxxxxxxxxxxxxxxxxx
!

aaa accounting exec default start-stop group acs-tacacs
aaa accounting system default start-stop group acs-tacacs
aaa accounting commands default start-stop group acs-tacacs
aaa group server tacacs+ acs-tacacs
server 11.11.11.11
server 22.22.22.22
!
aaa authorization exec default group acs-tacacs local
aaa authorization commands default group acs-tacacs none
aaa authentication login default group acs-tacacs local

line console
exec-timeout 10 0
!
line default
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
exec-timeout 30 0
session-timeout 30
transport input ssh
!
vty-pool default 0 20

control-plane
management-plane
inband
interface all
allow all peer
address ipv4 11.12.12.12
address ipv4 11.13.13.13
address ipv4 11.14.14.14



On Thu, Dec 3, 2020 at 11:33 AM Eric Van Tol <eric@atlantech.net<mailto:eric@atlantech.net><mailto:eric@atlantech.net<mailto:eric@atlantech.net>>> wrote:
Hi all,
I’m going nuts here trying to get my AAA set up on an NCS. The goal is to authenticate against TACACS on VTY lines but either use the local user database or line/enable for console access and I cannot get it right. Sometimes my VTY authentication fails the first time and it requires you to put in your password a second time, even though the TACACS servers are definitely available. I cannot get console access to work properly at all. I’m running XR 7.1.1. Here’s the aaa portion of the config:

tacacs source-interface Loopback1 vrf default
tacacs-server host 192.168.45.126 port 49
key 7 ******
single-connection
!
tacacs-server host 192.168.46.126 port 49
key 7 ******
timeout 3
single-connection
!
username admin
group root-lr
group cisco-support
secret 10 $secretpass
!
aaa group server tacacs+ TACACS
server 192.168.45.126
server 192.168.46.126
!
aaa authorization exec CONSOLE local
aaa authorization exec default group TACACS local
aaa authentication login CONSOLE local line
aaa authentication login default group TACACS line!
!
line console
password 7 ******
authorization exec CONSOLE
login authentication CONSOLE
!
line default
password 7 ******
timeout login response 30
authorization exec default
login authentication default
exec-timeout 0 0
access-class ingress access-protect
session-timeout 120
transport input ssh
!

I’ve tried different permutations of the line console config and can’t get the right combination. Can someone point me in the right direction here?

Thanks in advance,
evt

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net><mailto:cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

control-plane is like an access-list, only the specified IP's will be able
to ssh to the box.

On Thu, Dec 3, 2020 at 12:32 PM Eric Van Tol <eric@atlantech.net> wrote:

> Yes, that was a copy-paste typo.
>
>
>
> *From: *Aaron <dudepron@gmail.com>
> *Date: *Thursday, December 3, 2020 at 2:18 PM
> *To: *Eric Van Tol <eric@atlantech.net>
> *Cc: *Scott Miller <fordlove@gmail.com>, "cisco-nsp@puck.nether.net" <
> cisco-nsp@puck.nether.net>
> *Subject: *Re: [c-nsp] AAA on IOS-XR (NCS540)
>
>
>
> *EXTERNAL* - Do not click links or open attachments from an unverified
> source/sender.
>
> This isn't at typo is it?
>
>
>
> aaa authentication login default group TACACS line!
>
>
>
> should it be
>
> aaa authentication login default group TACACS line <<< no !
>
>
>
> On Thu, Dec 3, 2020 at 2:13 PM Eric Van Tol <eric@atlantech.net> wrote:
>
> No, all I have is:
>
> control-plane
> management-plane
> inband
> interface TenGigE0/0/0/27
> allow all
> !
> interface TenGigE0/0/0/23.1550
> allow all
> !
> interface TenGigE0/0/0/25.1550
> allow all
> !
> !
>
> What exactly does this do? I mean, I have an inkling, but I wouldn’t
> expect TACACS to work at all if I was missing a config to allow it to
> respond to the router.
>
> From: Scott Miller <fordlove@gmail.com>
> Date: Thursday, December 3, 2020 at 1:52 PM
> To: Eric Van Tol <eric@atlantech.net>
> Cc: "cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net>
> Subject: Re: [c-nsp] AAA on IOS-XR (NCS540)
>
>
> EXTERNAL - Do not click links or open attachments from an unverified
> source/sender.
> Do you have the control-plane set up?
>
> tacacs source-interface Loopback100 vrf default
> tacacs-server host 11.11.11.11 port 49
> key 7 xxxxxxxxxxxxxxxxxxxxxxxx
> !
> tacacs-server host 22.22.22.22 port 49
> key 7 xxxxxxxxxxxxxxxxxxxxxxxx
> !
>
> aaa accounting exec default start-stop group acs-tacacs
> aaa accounting system default start-stop group acs-tacacs
> aaa accounting commands default start-stop group acs-tacacs
> aaa group server tacacs+ acs-tacacs
> server 11.11.11.11
> server 22.22.22.22
> !
> aaa authorization exec default group acs-tacacs local
> aaa authorization commands default group acs-tacacs none
> aaa authentication login default group acs-tacacs local
>
> line console
> exec-timeout 10 0
> !
> line default
> password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> exec-timeout 30 0
> session-timeout 30
> transport input ssh
> !
> vty-pool default 0 20
>
> control-plane
> management-plane
> inband
> interface all
> allow all peer
> address ipv4 11.12.12.12
> address ipv4 11.13.13.13
> address ipv4 11.14.14.14
>
>
>
> On Thu, Dec 3, 2020 at 11:33 AM Eric Van Tol <eric@atlantech.net<mailto:
> eric@atlantech.net>> wrote:
> Hi all,
> I’m going nuts here trying to get my AAA set up on an NCS. The goal is to
> authenticate against TACACS on VTY lines but either use the local user
> database or line/enable for console access and I cannot get it right.
> Sometimes my VTY authentication fails the first time and it requires you to
> put in your password a second time, even though the TACACS servers are
> definitely available. I cannot get console access to work properly at all.
> I’m running XR 7.1.1. Here’s the aaa portion of the config:
>
> tacacs source-interface Loopback1 vrf default
> tacacs-server host 192.168.45.126 port 49
> key 7 ******
> single-connection
> !
> tacacs-server host 192.168.46.126 port 49
> key 7 ******
> timeout 3
> single-connection
> !
> username admin
> group root-lr
> group cisco-support
> secret 10 $secretpass
> !
> aaa group server tacacs+ TACACS
> server 192.168.45.126
> server 192.168.46.126
> !
> aaa authorization exec CONSOLE local
> aaa authorization exec default group TACACS local
> aaa authentication login CONSOLE local line
> aaa authentication login default group TACACS line!
> !
> line console
> password 7 ******
> authorization exec CONSOLE
> login authentication CONSOLE
> !
> line default
> password 7 ******
> timeout login response 30
> authorization exec default
> login authentication default
> exec-timeout 0 0
> access-class ingress access-protect
> session-timeout 120
> transport input ssh
> !
>
> I’ve tried different permutations of the line console config and can’t get
> the right combination. Can someone point me in the right direction here?
>
> Thanks in advance,
> evt
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net<mailto:
> cisco-nsp@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

This is our config to do just that. Running 7.0.2

aaa authorization exec LOCAL local
aaa authorization exec TACACS group TACACS local

aaa authentication login LOCAL local
aaa authentication login TACACS group TACACS local

aaa accounting exec default start-stop group TACACS
aaa accounting system default start-stop group TACACS
aaa accounting commands default start-stop group TACACS

aaa group server tacacs+ TACACS
server 10.0.0.1
server 10.0.0.2

tacacs-server host 10.0.0.1 port 49
key 7 xxx
!
tacacs-server host 10.0.0.2 port 49
key 7 xxx
!
username admin
group root-lr
secret 10 xxx

line console
authorization exec LOCAL
login authentication LOCAL
exec-timeout 12 0
!
line default
authorization exec TACACS
login authentication TACACS
exec-timeout 12 0
transport input ssh

Regards,
Dave

On Thu, 3 Dec 2020 at 18:31, Eric Van Tol <eric@atlantech.net> wrote:

> Hi all,
> I’m going nuts here trying to get my AAA set up on an NCS. The goal is to
> authenticate against TACACS on VTY lines but either use the local user
> database or line/enable for console access and I cannot get it right.
> Sometimes my VTY authentication fails the first time and it requires you to
> put in your password a second time, even though the TACACS servers are
> definitely available. I cannot get console access to work properly at all.
> I’m running XR 7.1.1. Here’s the aaa portion of the config:
>
> tacacs source-interface Loopback1 vrf default
> tacacs-server host 192.168.45.126 port 49
> key 7 ******
> single-connection
> !
> tacacs-server host 192.168.46.126 port 49
> key 7 ******
> timeout 3
> single-connection
> !
> username admin
> group root-lr
> group cisco-support
> secret 10 $secretpass
> !
> aaa group server tacacs+ TACACS
> server 192.168.45.126
> server 192.168.46.126
> !
> aaa authorization exec CONSOLE local
> aaa authorization exec default group TACACS local
> aaa authentication login CONSOLE local line
> aaa authentication login default group TACACS line!
> !
> line console
> password 7 ******
> authorization exec CONSOLE
> login authentication CONSOLE
> !
> line default
> password 7 ******
> timeout login response 30
> authorization exec default
> login authentication default
> exec-timeout 0 0
> access-class ingress access-protect
> session-timeout 120
> transport input ssh
> !
>
> I’ve tried different permutations of the line console config and can’t get
> the right combination. Can someone point me in the right direction here?
>
> Thanks in advance,
> evt
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Ok, so it’s essentially adding in something like an iptables entry. Is there any need to use an ACL on the VTY lines anymore when using the peer config? I personally like the ACL instead because then I don’t need to define the peer addresses on every port I want access from, but maybe I’m doing it wrong.

BTW – I ended up deleting my AAA config and adding it back and now it magically works and I can log in via console as the local admin user:

aaa authorization exec CONSOLE local
aaa authorization exec default group TACACS local
aaa authentication login CONSOLE local line
aaa authentication login default group TACACS line
!
line console
secret 5 ******
authorization exec CONSOLE
login authentication CONSOLE
!

From: Scott Miller <fordlove@gmail.com>
Date: Thursday, December 3, 2020 at 5:11 PM
To: Eric Van Tol <eric@atlantech.net>
Cc: Aaron <dudepron@gmail.com>, "cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] AAA on IOS-XR (NCS540)


EXTERNAL - Do not click links or open attachments from an unverified source/sender.
control-plane is like an access-list, only the specified IP's will be able to ssh to the box.

On Thu, Dec 3, 2020 at 12:32 PM Eric Van Tol <eric@atlantech.net<mailto:eric@atlantech.net>> wrote:
Yes, that was a copy-paste typo.

From: Aaron <dudepron@gmail.com<mailto:dudepron@gmail.com>>
Date: Thursday, December 3, 2020 at 2:18 PM
To: Eric Van Tol <eric@atlantech.net<mailto:eric@atlantech.net>>
Cc: Scott Miller <fordlove@gmail.com<mailto:fordlove@gmail.com>>, "cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>" <cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>>
Subject: Re: [c-nsp] AAA on IOS-XR (NCS540)


EXTERNAL - Do not click links or open attachments from an unverified source/sender.
This isn't at typo is it?

aaa authentication login default group TACACS line!

should it be
aaa authentication login default group TACACS line <<< no !

On Thu, Dec 3, 2020 at 2:13 PM Eric Van Tol <eric@atlantech.net<mailto:eric@atlantech.net>> wrote:
No, all I have is:

control-plane
management-plane
inband
interface TenGigE0/0/0/27
allow all
!
interface TenGigE0/0/0/23.1550
allow all
!
interface TenGigE0/0/0/25.1550
allow all
!
!

What exactly does this do? I mean, I have an inkling, but I wouldn’t expect TACACS to work at all if I was missing a config to allow it to respond to the router.

From: Scott Miller <fordlove@gmail.com<mailto:fordlove@gmail.com>>
Date: Thursday, December 3, 2020 at 1:52 PM
To: Eric Van Tol <eric@atlantech.net<mailto:eric@atlantech.net>>
Cc: "cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>" <cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>>
Subject: Re: [c-nsp] AAA on IOS-XR (NCS540)


EXTERNAL - Do not click links or open attachments from an unverified source/sender.
Do you have the control-plane set up?

tacacs source-interface Loopback100 vrf default
tacacs-server host 11.11.11.11 port 49
key 7 xxxxxxxxxxxxxxxxxxxxxxxx
!
tacacs-server host 22.22.22.22 port 49
key 7 xxxxxxxxxxxxxxxxxxxxxxxx
!

aaa accounting exec default start-stop group acs-tacacs
aaa accounting system default start-stop group acs-tacacs
aaa accounting commands default start-stop group acs-tacacs
aaa group server tacacs+ acs-tacacs
server 11.11.11.11
server 22.22.22.22
!
aaa authorization exec default group acs-tacacs local
aaa authorization commands default group acs-tacacs none
aaa authentication login default group acs-tacacs local

line console
exec-timeout 10 0
!
line default
password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
exec-timeout 30 0
session-timeout 30
transport input ssh
!
vty-pool default 0 20

control-plane
management-plane
inband
interface all
allow all peer
address ipv4 11.12.12.12
address ipv4 11.13.13.13
address ipv4 11.14.14.14



On Thu, Dec 3, 2020 at 11:33 AM Eric Van Tol <eric@atlantech.net<mailto:eric@atlantech.net><mailto:eric@atlantech.net<mailto:eric@atlantech.net>>> wrote:
Hi all,
I’m going nuts here trying to get my AAA set up on an NCS. The goal is to authenticate against TACACS on VTY lines but either use the local user database or line/enable for console access and I cannot get it right. Sometimes my VTY authentication fails the first time and it requires you to put in your password a second time, even though the TACACS servers are definitely available. I cannot get console access to work properly at all. I’m running XR 7.1.1. Here’s the aaa portion of the config:

tacacs source-interface Loopback1 vrf default
tacacs-server host 192.168.45.126 port 49
key 7 ******
single-connection
!
tacacs-server host 192.168.46.126 port 49
key 7 ******
timeout 3
single-connection
!
username admin
group root-lr
group cisco-support
secret 10 $secretpass
!
aaa group server tacacs+ TACACS
server 192.168.45.126
server 192.168.46.126
!
aaa authorization exec CONSOLE local
aaa authorization exec default group TACACS local
aaa authentication login CONSOLE local line
aaa authentication login default group TACACS line!
!
line console
password 7 ******
authorization exec CONSOLE
login authentication CONSOLE
!
line default
password 7 ******
timeout login response 30
authorization exec default
login authentication default
exec-timeout 0 0
access-class ingress access-protect
session-timeout 120
transport input ssh
!

I’ve tried different permutations of the line console config and can’t get the right combination. Can someone point me in the right direction here?

Thanks in advance,
evt

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net><mailto:cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/