AAA configuation on CAT 3750

Answered Question
Apr 5th, 2007

Everytime I enter the following AAA commands my switch locks up.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default stop-only group tacacs+

aaa session-id common

I have this problem too.
0 votes
Correct Answer by ilya.varlashkin about 9 years 8 months ago

you current session may indeed lock up if you were logged in via local account that doesn't have entry in TACACS or just via line password. Enable first only authentication via TACACS, then relogin using TACACS account, then add authorization.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
scottosan Thu, 04/05/2007 - 13:19

Do you have the tacas server set up and responding? I don't see anything in the config displaying the Tacacs server information.

As soon as you paste the config in, you can no longer enter commands without the tacacs server permitting you to do so.

idesofmarch Thu, 04/05/2007 - 13:21

Yes the TACACS server is up and running. I just did the same commands to my router and had no issues.

Correct Answer
ilya.varlashkin Thu, 04/05/2007 - 13:27

you current session may indeed lock up if you were logged in via local account that doesn't have entry in TACACS or just via line password. Enable first only authentication via TACACS, then relogin using TACACS account, then add authorization.

ilya.varlashkin Fri, 04/06/2007 - 07:31

'tacacs-server directed-request' is generally considered to be security risk and you shouldn't include it unless really necessary. Otherwise your config looks fine. Just apply AAA config in the sequence I mentioned and enable authentication also on the console.

Actions

This Discussion