Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
873
Views
0
Helpful
2
Replies

AAA Command Question

dbarboza27
Level 1
Level 1

‎05-24-2010 10:27 AM - edited ‎03-10-2019 05:09 PM

Hi,

I have a question about AAA commands. In aaa, I have defined the following:


aaa new-model
!
aaa authentication login default group tacacs+ local enable

aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common

line con 0
authorization exec con_acc
login authentication con_acc


Based on that configuration, I guess that the router uses the default method. There is none method called  con_acc either for authentication or authorization, so I understand that when  the router fails to get the method espicified, it has to look for default.

Could some one clarify.

Thanks,

Labels:
0 Helpful
2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

‎05-24-2010 12:01 PM

Doug,


I don't see any method listed created in the mentioned configuration so there is no use of these two commands


authorization exec con_acc
login authentication con_acc


Also, how did you call this method-list when you haven't defined globally. Did you just pick the config from somewhere and posted here or this a part of your running configuration.


I would suggest you to delete the above mentoned commands or create method-list. Also, when users fail the authentication with tacacs server then they can access the device using local username and password if created.


Sh run | in user  <------------------You can check


let me know if you need any further help.


HTH


JK


Do rate helpful posts-

~Jatin
0 Helpful

Jagdeep Gambhir
Level 10
Level 10

‎05-24-2010 12:12 PM

Hi Doug,

Yes, it will use default incase method specified in not available in the config.





Regards,

~JG



Do rate helpful posts

0 Helpful
Customers Also Viewed These Support Documents