10-27-2003 07:12 AM - edited 03-10-2019 07:32 AM
I thought I had this set up right but when the routers couldn't reach the Tacacs servers, I wasn't unable to to get on console access.
Basically, I want to use Tacacs when it's available. If not, then I want to use the local database to get console and telnet access.
Below is my config:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
enable secret xxxx.
enable password xxxx
!
username xxxx privilege 15 password xxxxx!
!
line con 0
transport input none
line aux 0
line vty 0 4
Thank you...
10-27-2003 08:01 AM
Check out the follwoing link for info on securing the console port using AAA
http://www.cisco.com/en/US/customer/tech/tk583/tk642/technologies_tech_note09186a0080093c81.shtml
Let me know if you still have problems
10-28-2003 10:07 AM
I added login authentication default local for line con 0 and line vty 0 4 but when Tacacs fail I still am unable to access the routers using console and telnet.
Any suggestions?
Thanks...Joy
10-28-2003 01:03 PM
Personally, I think your config is a bit too complicated. If you're going to use authorization command sets, allow ACS to authenticate and authorize enable mode too.
Firstly, take out these lines:
aaa authentication enable default group tacacs+ enable
aaa authorization console
Secondly, change this line:
aaa authorization exec default group tacacs+ local
to
aaa authorization exec default group tacacs+ local if-authenticated
Here is a good sample:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
Your vty line config is correct, since you want the default authentication mechanism to be tacacs+ and if it fails, to use local. But if you were not authenticated by tacacs+ , you dont want the config to force tacacs+ authorization on you. You only need tacacs+ authorization if you were authenticated by tacacs.
Hope this helps. Let us know the outcome.
Regards - P
02-19-2004 01:47 AM
I wasn't the original poster, but I found your post doing a search for the same issue and your info was 'spot on', so I gave you a 5.
Cheers
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide