06-04-2009 11:35 AM - edited 03-10-2019 04:31 PM
If I have this:
aaa authentication login default grouptacacs+ local line none
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local none
username localadmin password 7 xxxxxxxxxxxx
enable secret 5 xxxxxxxxxxxxxxxx
And all tacacs+ servers are unreachable.
Authentication will revert to local, so I would need to use a locally defined username of localadmin to access the unit. Correct?
If I can login using the local username, doesn't the authorizaiton exec fail and I cannot get an exec shell as I have no locally defined authorization set up?
If so, how do I set it up so I can login locally (which I think I have setup), but can also get into enable mode if the tacacs+ server(s) are down?
Is exec shell the privlidged mode or just the shell you get when you login and you need to execute a enable command to get to exec shell?
Thanks
Gene
06-04-2009 12:03 PM
Gene
I believe that exec shell is the exec that you get when you login and not the privilege level. I usually configure authentication as you have done and it works well - whether the TACACS server is available or not. I generally configure authorization this way:
aaa authorization exec default group tacacs+ if-authenticated
and find that it works well - whether the TACACS server is available or not.
HTH
Rick
06-04-2009 02:17 PM
Gene,
Yes, if tacacs is down you need to login using locally configured user.
If you want to get into enable mode straight away then local user should have privilege 15. IF user priv is less then 15 then it will ask for enable password.
Shell exec is a privilege mode.
Regards,
~JG
Do rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide