Hi! When one connects to a console port of a non-master stacked Cisco 3750 series switch, then the switch will use VTY lines authorization configuration. This is described in CSCsw51727. Let's say that authorization is done by TACACS+ server. There is a workaround possible when local username authentication is in use for console line. For example, let's say that authentication list named "console" is used for "line con 0", i.e "login authentication console" is configured under "line con 0". In addition, local username authentication is used for this authentication list, i.e "aaa authentication login console local" is configured. Now, when one connects to a console port of a non-master stacked Cisco 3750 series switch, then switch uses provided local username in authorization request to TACACS+ server and if TACACS+ server has this local user properly configured, then authorization succeeds. However, what if instead of local username authentication, the enable password authentication is used? In other words, instead of "aaa authentication login console local" the "aaa authentication login console enable" is configured. With "aaa authentication login console enable" there is no username. As much as I have tried, then the empty username is used in authorization request sent to TACACS+ server and such requests are denied by TACACS+ server. Is there a workaround for CSCsw51727 bug if local username authentication is not in use? Has CSCsw51727 been fixed in latest IOS releases?
thanks, Martin _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
