cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
941
Views
0
Helpful
3
Replies

AAA Problem when WAN is offline

warwick.kane
Level 1
Level 1

Hi All,

I have a problem at the moment logging into a router while the WAN is offline. TACACS+ works fine when the WAN is up but when its down i get prompted for a password which i enter and then get authorisation failed...

Here is the AAA config

aaa authentication login default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

1 Accepted Solution

Accepted Solutions

Specifying local as a backup method for authorization may get around this problem, but does it not require that local user IDs and passwords be configured? Since the authentication login did not use the local IDs as backup I wonder about the logic of doing this for authorization. I have had good success by configuring authorization like this:

aaa authorization exec default group tacacs+ if-authenticated

which will bypass authorization processing if TACACS is not available and if the user has successfully authenticated.

HTH

Rick

HTH

Rick

View solution in original post

3 Replies 3

a.kiprawih
Level 7
Level 7

Try adding 'local' to the end of line:

aaa authorization exec default group tacacs+ local

The 'local' refers to the local database for authorization.

Specifying local as a backup method for authorization may get around this problem, but does it not require that local user IDs and passwords be configured? Since the authentication login did not use the local IDs as backup I wonder about the logic of doing this for authorization. I have had good success by configuring authorization like this:

aaa authorization exec default group tacacs+ if-authenticated

which will bypass authorization processing if TACACS is not available and if the user has successfully authenticated.

HTH

Rick

HTH

Rick

Thanks for that Rick, Your logic is correct and it has fixed my problem. Much appreicated.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: