06-11-2009 06:51 AM - edited 03-06-2019 06:12 AM
Good morning,
On 3750, I was setting up passwords and I did:
config t
aaa new-model
aaa auth login default group tacacs+ local
Then I got ouput:
% Authorization failed.
From there I can't do show run, config t, etc. It sounds I need to reboot the switch and break into it?
Why this happened and what is it wrong? My intention is to set the following, so that if tacacs is not present, users can use the local login "local" to login:
aaa new-model
aaa authentication login default group tacacs+ local
username local secret passwordlogin
line con 0
session-timeout 900
exec-timeout 15 0
login local
password consolepassword
line vty 0 15
login local
session-timeout 900
exec-timeout 15 0
password telnetpassword
06-11-2009 06:56 AM
During your initial configuration, your entry to the router was made with the 'enable secret|password'.
When you enabled 'aaa new-model' and 'aaa authentication ... local', you need to regain entry into the router by using the local username and password in order to continue making changes in the config.
Edit: Additionally, I noticed the local account does not have 'priv 15'. You need privilege 15 in order to make config changes.
HTH,
__
Edison.
06-11-2009 06:58 AM
Hi,
have u entered the aaa config for authentication or authorization.
I think the ios has taken it as authorizain bacause when we are entering this config usually the ios prompts stop in order for us to select weather we want authentication or authorization.
the above config needs some modification.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default groip tacacs+ local
if u havent saved the config u need to reboot the switch or do a password recovery if u have saved it.
Thanks
Mahmood
06-11-2009 07:06 AM
Fortunately I closed my telnet session and then I was able to login again, without rebooting it.
Can you confirm the following should work:
aaa new-model
aaa authentication login default group tacacs+ local
username local privilege 15 secret passwordlogin
line con 0
session-timeout 900
exec-timeout 15 0
login local
password consolepassword
line vty 0 15
login local
session-timeout 900
exec-timeout 15 0
password telnetpassword
06-11-2009 07:17 AM
Marlon
You may have intended authentication. But the error message is pretty clear that the router interpreted your input as authorization:
Then I got ouput:
% Authorization failed.
Assuming that you have not done a copy run start then recovery should be easy by power cycling the device. If the change was not saved then power cycle will get rid of the change and there is no need to break in and do password recovery.
HTH
Rick
06-11-2009 07:21 AM
Rick,
The authorization command options are slightly different:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html#wp1060219
06-11-2009 07:22 AM
Marlon
The issue that I see with this proposed config is that when you enable aaa new-model then you can no longer configure login local for console or vty.
Also you are specifying TACACS as the primary method but the partial config does not have any configuration of the TACACS server. Other than that I believe that your config is ok.
HTH
Rick
06-11-2009 07:23 AM
After login, were you able to get into config mode and make the additional changes?
06-11-2009 07:31 AM
Yes, I can make changes now.
Can you confirm that I should be using authentication as below?
At this stage the switch has not network connectivity but I will point to tacacs IP accordingly (the only thing is that I need to be able to login using local credentials since no network connectivity is in place yet).
aaa new-model
aaa authentication login default group tacacs+ local
username local privilege 15 secret passwordlogin
line con 0
session-timeout 900
exec-timeout 15 0
login local
password consolepassword
line vty 0 15
login local
session-timeout 900
exec-timeout 15 0
password telnetpassword
06-11-2009 07:33 AM
Hi,
I think u need an extra line i.e
aaa authentication enable default group tacacs+ local
Thanks
Mahmood
06-11-2009 07:36 AM
I tried that, but it did not accept 'local'. Also, if I try my original configuration, now I understand the comment that someone made that when I try to do "line con... login local" I am not longer able to do that since it requires 'authentication' instead.
switch(config)#aaa authentication enable default group tacacs+ local
^
% Invalid input detected at '^' marker.
switch(config)#
switch(config)#aaa authentication enable default group tacacs+ ?
cache Use Cached-group
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
none NO authentication.
06-11-2009 07:36 AM
I'm glad you are able to make changes now. The problem you had before is that your privileges were changed from 'enable secret' to 'local account'.
Your authentication line is fine. If you need additional AAA services, then you need to configure 'authorization' and 'accounting'.
For now, without a TACACS server - you are fine with just authentication but once the TACACS server is online, you will also need the authorization component on AAA.
HTH,
__
Edison.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide