AAA Authentication Issue

Unanswered Question
May 3rd, 2009
User Badges:

Hi Guys,


I have config for AAA:


enable secret 5 $ $xxxxxxxxxxxxxxx

enable password 7 xxxxxxxxxxxxxxxx

!

username admin password 7 xxxxxxxxxxxxxx


aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login console line

aaa authentication enable default group tacacs+ enable

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 15 default stop-only group tacacs+

!

aaa session-id common


line con 0

privilege level 15

password 7 xxxxxxxxxxxxxxxxxxxxxx

login authentication console

line vty 0 4

exec-timeout 120 0

password 7 xxxxxxxxxxxxxxxxxxxxxxxx


Problem is when the Router looses its connection to TACACS+ server, it can't authenticate user with the local authentication. For backup I would like to get authenticated into the router should the TACACS+ server is unreachable.


Thanks.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sun, 05/03/2009 - 21:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Shawkat,


to have local username password fallback you should use


aaa authentication login default group tacacs+ local



Hope to help

Giuseppe


shawkatalvi Sun, 05/03/2009 - 21:45
User Badges:

Hi Giuseppe,

Thanks for your quick reply. If I use the following config:


aaa new-model

aaa authentication login REMOTE group tacacs+ local-case

aaa authentication login default group tacacs+ local

!

aaa authentication fail-message #

Local authentication failed.

#


aaa authentication password-prompt "Enter local password:"

aaa authentication username-prompt "Enter local username:"


!


user a secret b!



line con 0


login authentication REMOTE


line vty 0 4


login authentication REMOTE


Would I be able to access the router with privilege level 15 and if the TACACS+ server fails, it would allow me to authenticate locally?

Giuseppe Larosa Sun, 05/03/2009 - 22:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Shawkat,

you will be able to login with local account only when the TACACS+ is unreachable.

When TACACS+ is reachable you need to use an account defined on it.

see the list

aaa authentication login default group tacacs+ local

as an ordered list of methods where second method is used only if the first one doesn't get a timely answer.


if you perform lab tests you will see that as soon as the server is reachable again the local account cannot perform commands on the device.


Hope to help

Giuseppe


shawkatalvi Wed, 05/06/2009 - 21:55
User Badges:

Thanks Giustar for your feedback.


I used this config:


username admin privilege 15 secret xxxxxxxxxxxx



aaa new-model

aaa authentication login REMOTE group tacacs+ local-case

aaa authentication login default group tacacs+ local-case

!


line con 0


login authentication REMOTE


line vty 0 4


login authentication REMOTE


when TACACS+ was unreachable I could login into the router via console, but via line vty 0 4 it only let me in to the read only mode(privilege level 1). As soon as I typed "en" it said "error in authentciation". I expected Line vty would work the same way console 0 worked. Any ideas?

Actions

This Discussion