Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA order of Authentication

What do I need to modify or add to the following so the locally defined userid gui_id can succeed when logging into this router at all times even if communication with the TACACS+ server is up. (gui_id does not exist in the TACACS+ server). Order of authentication for other defined user ids and the default group should stay the same. Also, if possible, can the user gui_id be automatically enabled when authenticated and how:

enable secret router_enable

username nst_id privilege 15 password nst_password

username gui_id privilege 15 password gui_password

username solv_id privilege 1 password solv_password

aaa new-model

aaa authentication username-prompt "Local Username: "

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization console

aaa accounting exec default start-stop tacacs+

aaa accounting commands 0 default stop-only tacacs+

aaa accounting commands 1 default stop-only tacacs+

aaa accounting commands 15 default stop-only tacacs+

tacacs-server host xxx.xxx.xxx.xxx

tacacs-server key *******

1 REPLY
New Member

Re: AAA order of Authentication

Unfortunately, it doesn't quite work that way. When a method list is used (in your case, the default method list), then it will user the first method in that list. For your config, the attempt will authenticate against the TACACS+ server. If the TACACS+ server is responsive and actually responds with a reject message, the authentication will not fall back to local and fail the user. This is intended behavior. Only when the TACACS+ server is unresponsive or not sending back valid responses will authentication ever fall back to local.

If the local database was being used due to fallback and you wanted to automatically be placed in enable mode, you need to add "local" to your authorization exec so that shell exec privilege is passed:

aaa authorization exec default group tacacs+ local if-authenticated

Is there a specific need to have your local user gui_id to be able to authenticate at all times? For best practices, your users should all authenticate to tacacs. Only if tacacs goes down should you need to use the local database as a backdoor in this failure scenario.

Sincerely,

Annie

120
Views
0
Helpful
1
Replies
CreatePlease login to create content