AAA Authentication Issue

Unanswered Question
May 3rd, 2009

Hi Guys,

I have config for AAA:

enable secret 5 $ $xxxxxxxxxxxxxxx

enable password 7 xxxxxxxxxxxxxxxx

!

username admin password 7 xxxxxxxxxxxxxx

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login console line

aaa authentication enable default group tacacs+ enable

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 15 default stop-only group tacacs+

!

aaa session-id common

line con 0

privilege level 15

password 7 xxxxxxxxxxxxxxxxxxxxxx

login authentication console

line vty 0 4

exec-timeout 120 0

password 7 xxxxxxxxxxxxxxxxxxxxxxxx

Problem is when the Router looses its connection to TACACS+ server, it can't authenticate user with the local authentication. For backup I would like to get authenticated into the router should the TACACS+ server is unreachable.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sun, 05/03/2009 - 21:16

Hello Shawkat,

to have local username password fallback you should use

aaa authentication login default group tacacs+ local

Hope to help

Giuseppe

shawkatalvi Sun, 05/03/2009 - 21:45

Hi Giuseppe,

Thanks for your quick reply. If I use the following config:

aaa new-model

aaa authentication login REMOTE group tacacs+ local-case

aaa authentication login default group tacacs+ local

!

aaa authentication fail-message #

Local authentication failed.

#

aaa authentication password-prompt "Enter local password:"

aaa authentication username-prompt "Enter local username:"

!

user a secret b!

line con 0

login authentication REMOTE

line vty 0 4

login authentication REMOTE

Would I be able to access the router with privilege level 15 and if the TACACS+ server fails, it would allow me to authenticate locally?

Giuseppe Larosa Sun, 05/03/2009 - 22:42

Hello Shawkat,

you will be able to login with local account only when the TACACS+ is unreachable.

When TACACS+ is reachable you need to use an account defined on it.

see the list

aaa authentication login default group tacacs+ local

as an ordered list of methods where second method is used only if the first one doesn't get a timely answer.

if you perform lab tests you will see that as soon as the server is reachable again the local account cannot perform commands on the device.

Hope to help

Giuseppe

shawkatalvi Wed, 05/06/2009 - 21:55

Thanks Giustar for your feedback.

I used this config:

username admin privilege 15 secret xxxxxxxxxxxx

aaa new-model

aaa authentication login REMOTE group tacacs+ local-case

aaa authentication login default group tacacs+ local-case

!

line con 0

login authentication REMOTE

line vty 0 4

login authentication REMOTE

when TACACS+ was unreachable I could login into the router via console, but via line vty 0 4 it only let me in to the read only mode(privilege level 1). As soon as I typed "en" it said "error in authentciation". I expected Line vty would work the same way console 0 worked. Any ideas?

Actions

This Discussion