AAA confusion - local username access

Answered Question
Sep 4th, 2009
User Badges:

Hey all,


I am a little confused.

I have the following commands on my device:


username blah privilege 15 secret 5 blah!@#$%%

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default stop-only group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+


Everything works fine.

However when I bring down the TACACS server I am able to login into the device with the local username but it fails when I enter the enable command. How can I have access when in case of emergency that TACACS fails? I have researched online and have tried multiple commands. Is there anything I am missing? I do have an enable secret password configured as well. But don't even get a chance to enter. when entering "en" at > prompt:

% Authentication failed.


Thanks in advance for your help.

My testing has led to frustration.

:)

Correct Answer by Jagdeep Gambhir about 7 years 6 months ago

Hi Geo,

First please give the fall back method for command 0.


aaa authorization commands 0 default group tacacs+


add local


aaa authorization commands 0 default group tacacs+ local


Make sure you are putting in right enable password, try to reset it and give it a shot.


If issue is there then get the output of debug tacacs and debug aaa authentication



Regards,

~JG


Do rate helpful posts




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Sat, 09/05/2009 - 05:21
User Badges:
  • Red, 2250 points or more

Hi Geo,

First please give the fall back method for command 0.


aaa authorization commands 0 default group tacacs+


add local


aaa authorization commands 0 default group tacacs+ local


Make sure you are putting in right enable password, try to reset it and give it a shot.


If issue is there then get the output of debug tacacs and debug aaa authentication



Regards,

~JG


Do rate helpful posts




geotech333 Sun, 09/06/2009 - 12:59
User Badges:

Thanks JG.

I completely overlooked that.

Thanks for pointing out.


I will give it a try and post results!

Jagdeep Gambhir Mon, 09/07/2009 - 07:11
User Badges:
  • Red, 2250 points or more

Also please make sure that in ACS , enable privilege for that user is set to 15.


Let me know how that goes.


Regards,

~JG



Do rate heplful posts




geotech333 Tue, 09/08/2009 - 04:36
User Badges:

That did the trick!


:)


Thanks for your help.

All is working as it should be.

Actions

This Discussion