Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Order of authentication

I have the following AAA authentication config:

aaa authentication login default group tacacs+ local

Currently, local authentication doesn't seem to work.  If the tacacs server is unavailable, will local authentication work, or fail?  I'm thinking it will authenticate locally.  I'd like to configure it so that it will only authenticate locally if the tacacs server is unavailable.  Any advice would help.

  • AAA Identity and NAC
Everyone's tags (4)
5 REPLIES
Cisco Employee

Order of authentication

You are correct, the configuration "aaa authentication login default group tacacs+ local" will work as you describe, ie: if tacacs server is not available, it will fall back to use local authentication.

It will only fall to use the local database if tacacs server is not available, if authentication failed through tacacs, the authentication will be unsuccessful, not fall to use local DB.

How do you test that tacacs server is not available? do you disconnect the tacacs from the network? configure access-list to temporary block request to tacacs? can you also run some debugs to see what it says "debug aaa authentication"

New Member

Re: Order of authentication

Thanks so much for the reply - I really appreciate it.

I responded below with more detail below to rcapao reply.  I realized that the above initial post was rather terse.  Care to check it out and see if my current interpetation holds up?

Thanks,

John

New Member

Order of authentication

Hy,

Can you put some parts of the configuration?

That is, all the configuration concerning the tacacs?

Thanks,

               Rui

New Member

Re: Order of authentication

rcapao wrote:

Hy,

Can you put some parts of the configuration?

That is, all the configuration concerning the tacacs?

Thanks,

               Rui

Sure but some info will need to be redacted:

In NxOS, the tacacs feature is enabled and configured this way:

tacacs-server key 7

tacacs-server host

tacacs-server host

tacacs-server host

aaa group server tacacs+

    server

    server

    server

    source-interface loopback0

Then the aaa order is defined as:

aaa authentication login default group

aaa authentication login console local

The lines are configured as:

line console

  exec-timeout 15

line vty

  exec-timeout 15

and that's it.

In IOS it's set up this way:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs group tacacs+ local

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

!

aaa session-id common

The lines are configured like this:

line con 0

exec-timeout 15 0

line vty 0 4

exec-timeout 15 0

line vty 5 15

exec-timeout 15 0

How I read this is that in IOS local is only used if the tacacs server is unreachable, but I'm not sure what the no_tacacs is for,  because it doesn't autoprompt as a keyword in gns lab I set up to check it, so I think it's a vestigial remain from an earlier config.     I don't think the commands configs affect order either, as far as I've been able to tell.  Is that how you read it?

Thanks

John

Hall of Fame Super Silver

Order of authentication

John

The no_tacacs would not auto prompt as a keyword because it is not a keyword. What you have there is a different named list to define a special authentication. If this is configured then I would expect to find somewhere is the config a line that looked something like authentication no_tacacs. You would usually configure a special named list to define an authentication that was different from the default list. In this case the named list specifies the same (tacacs+ local) as the default and so I do not see the logic in configuring it.

To illustrate what I am talking about assume that a customer wants their routers configured so that remote access using SSH to the vty ports would authenticate via tacacs with local as a fall back and they want the console configured so that it authenticates only using local user ID and password. Then you might have a configuration that looks something like this

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs  local

line console 0

authentication no_tacacs

HTH

Rick

1250
Views
0
Helpful
5
Replies
This widget could not be displayed.