Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Getting access when Tacacs fails

I thought I had this set up right but when the routers couldn't reach the Tacacs servers, I wasn't unable to to get on console access.

Basically, I want to use Tacacs when it's available. If not, then I want to use the local database to get console and telnet access.

Below is my config:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

enable secret xxxx.

enable password xxxx

!

username xxxx privilege 15 password xxxxx!

!

line con 0

transport input none

line aux 0

line vty 0 4

Thank you...

4 REPLIES
Bronze

Re: Getting access when Tacacs fails

Check out the follwoing link for info on securing the console port using AAA

http://www.cisco.com/en/US/customer/tech/tk583/tk642/technologies_tech_note09186a0080093c81.shtml

Let me know if you still have problems

New Member

Re: Getting access when Tacacs fails

I added login authentication default local for line con 0 and line vty 0 4 but when Tacacs fail I still am unable to access the routers using console and telnet.

Any suggestions?

Thanks...Joy

Bronze

Re: Getting access when Tacacs fails

Personally, I think your config is a bit too complicated. If you're going to use authorization command sets, allow ACS to authenticate and authorize enable mode too.

Firstly, take out these lines:

aaa authentication enable default group tacacs+ enable

aaa authorization console

Secondly, change this line:

aaa authorization exec default group tacacs+ local

to

aaa authorization exec default group tacacs+ local if-authenticated

Here is a good sample:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

Your vty line config is correct, since you want the default authentication mechanism to be tacacs+ and if it fails, to use local. But if you were not authenticated by tacacs+ , you dont want the config to force tacacs+ authorization on you. You only need tacacs+ authorization if you were authenticated by tacacs.

Hope this helps. Let us know the outcome.

Regards - P

nxg
New Member

Re: Getting access when Tacacs fails

I wasn't the original poster, but I found your post doing a search for the same issue and your info was 'spot on', so I gave you a 5.

Cheers

Steve

190
Views
5
Helpful
4
Replies
CreatePlease login to create content