AAA Problem when WAN is offline

Answered Question
Dec 20th, 2006
User Badges:

Hi All,


I have a problem at the moment logging into a router while the WAN is offline. TACACS+ works fine when the WAN is up but when its down i get prompted for a password which i enter and then get authorisation failed...

Here is the AAA config


aaa authentication login default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+


Correct Answer by Richard Burts about 10 years 8 months ago

Specifying local as a backup method for authorization may get around this problem, but does it not require that local user IDs and passwords be configured? Since the authentication login did not use the local IDs as backup I wonder about the logic of doing this for authorization. I have had good success by configuring authorization like this:

aaa authorization exec default group tacacs+ if-authenticated

which will bypass authorization processing if TACACS is not available and if the user has successfully authenticated.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
a.kiprawih Wed, 12/20/2006 - 19:31
User Badges:
  • Gold, 750 points or more

Try adding 'local' to the end of line:


aaa authorization exec default group tacacs+ local


The 'local' refers to the local database for authorization.


Correct Answer
Richard Burts Thu, 12/21/2006 - 07:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Specifying local as a backup method for authorization may get around this problem, but does it not require that local user IDs and passwords be configured? Since the authentication login did not use the local IDs as backup I wonder about the logic of doing this for authorization. I have had good success by configuring authorization like this:

aaa authorization exec default group tacacs+ if-authenticated

which will bypass authorization processing if TACACS is not available and if the user has successfully authenticated.


HTH


Rick

warwick.kane Thu, 12/21/2006 - 14:51
User Badges:

Thanks for that Rick, Your logic is correct and it has fixed my problem. Much appreicated.

Actions

This Discussion