Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4286
Views
0
Helpful
5
Replies

Order of authentication

John Biederstedt
Level 1
Level 1

‎05-20-2012 08:20 PM - edited ‎03-10-2019 07:06 PM

I have the following AAA authentication config:

aaa authentication login default group tacacs+ local

Currently, local authentication doesn't seem to work.  If the tacacs server is unavailable, will local authentication work, or fail?  I'm thinking it will authenticate locally.  I'd like to configure it so that it will only authenticate locally if the tacacs server is unavailable.  Any advice would help.

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-20-2012 09:01 PM

You are correct, the configuration "aaa authentication login default group tacacs+ local" will work as you describe, ie: if tacacs server is not available, it will fall back to use local authentication.

It will only fall to use the local database if tacacs server is not available, if authentication failed through tacacs, the authentication will be unsuccessful, not fall to use local DB.

How do you test that tacacs server is not available? do you disconnect the tacacs from the network? configure access-list to temporary block request to tacacs? can you also run some debugs to see what it says "debug aaa authentication"

0 Helpful

John Biederstedt
Level 1
Level 1
In response to Jennifer Halim

‎05-21-2012 08:08 AM

Thanks so much for the reply - I really appreciate it.

I responded below with more detail below to rcapao reply.  I realized that the above initial post was rather terse.  Care to check it out and see if my current interpetation holds up?

Thanks,

John

0 Helpful

rcapao
Level 1
Level 1

‎05-21-2012 03:14 AM

Hy,

Can you put some parts of the configuration?

That is, all the configuration concerning the tacacs?

Thanks,

               Rui

0 Helpful

John Biederstedt
Level 1
Level 1
In response to rcapao

‎05-21-2012 07:58 AM 

rcapao wrote:
Hy,
Can you put some parts of the configuration? 
That is, all the configuration concerning the tacacs?
Thanks,
               Rui

Sure but some info will need to be redacted:

In NxOS, the tacacs feature is enabled and configured this way:

tacacs-server key 7

tacacs-server host

tacacs-server host

tacacs-server host

aaa group server tacacs+

    server

    server

    server

    source-interface loopback0

Then the aaa order is defined as:

aaa authentication login default group

aaa authentication login console local

The lines are configured as:

line console

  exec-timeout 15

line vty

  exec-timeout 15

and that's it.

In IOS it's set up this way:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs group tacacs+ local

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

!

aaa session-id common

The lines are configured like this:

line con 0

exec-timeout 15 0

line vty 0 4

exec-timeout 15 0

line vty 5 15

exec-timeout 15 0

How I read this is that in IOS local is only used if the tacacs server is unreachable, but I'm not sure what the no_tacacs is for,  because it doesn't autoprompt as a keyword in gns lab I set up to check it, so I think it's a vestigial remain from an earlier config.     I don't think the commands configs affect order either, as far as I've been able to tell.  Is that how you read it?

Thanks

John

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to John Biederstedt

‎05-21-2012 08:55 AM

John

The no_tacacs would not auto prompt as a keyword because it is not a keyword. What you have there is a different named list to define a special authentication. If this is configured then I would expect to find somewhere is the config a line that looked something like authentication no_tacacs. You would usually configure a special named list to define an authentication that was different from the default list. In this case the named list specifies the same (tacacs+ local) as the default and so I do not see the logic in configuring it.

To illustrate what I am talking about assume that a customer wants their routers configured so that remote access using SSH to the vty ports would authenticate via tacacs with local as a fall back and they want the console configured so that it authenticates only using local user ID and password. Then you might have a configuration that looks something like this

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs  local

line console 0

authentication no_tacacs

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents