Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA Command Question

Hi,

I have a question about AAA commands. In aaa, I have defined the following:


aaa new-model
!
aaa authentication login default group tacacs+ local enable

aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common

line con 0
authorization exec con_acc
login authentication con_acc


Based on that configuration, I guess that the router uses the default method. There is none method called  con_acc either for authentication or authorization, so I understand that when  the router fails to get the method espicified, it has to look for default.

Could some one clarify.

Thanks,

2 REPLIES
Cisco Employee

Re: AAA Command Question

Doug,


I don't see any method listed created in the mentioned configuration so there is no use of these two commands


authorization exec con_acc
login authentication con_acc


Also, how did you call this method-list when you haven't defined globally. Did you just pick the config from somewhere and posted here or this a part of your running configuration.


I would suggest you to delete the above mentoned commands or create method-list. Also, when users fail the authentication with tacacs server then they can access the device using local username and password if created.


Sh run | in user  <------------------You can check


let me know if you need any further help.


HTH


JK


Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**

Re: AAA Command Question

Hi Doug,

Yes, it will use default incase method specified in not available in the config.





Regards,

~JG



Do rate helpful posts

625
Views
0
Helpful
2
Replies
CreatePlease to create content