05-20-2012 08:20 PM - edited 03-10-2019 07:06 PM
I have the following AAA authentication config:
aaa authentication login default group tacacs+ local
Currently, local authentication doesn't seem to work. If the tacacs server is unavailable, will local authentication work, or fail? I'm thinking it will authenticate locally. I'd like to configure it so that it will only authenticate locally if the tacacs server is unavailable. Any advice would help.
05-20-2012 09:01 PM
You are correct, the configuration "aaa authentication login default group tacacs+ local" will work as you describe, ie: if tacacs server is not available, it will fall back to use local authentication.
It will only fall to use the local database if tacacs server is not available, if authentication failed through tacacs, the authentication will be unsuccessful, not fall to use local DB.
How do you test that tacacs server is not available? do you disconnect the tacacs from the network? configure access-list to temporary block request to tacacs? can you also run some debugs to see what it says "debug aaa authentication"
05-21-2012 08:08 AM
Thanks so much for the reply - I really appreciate it.
I responded below with more detail below to rcapao reply. I realized that the above initial post was rather terse. Care to check it out and see if my current interpetation holds up?
Thanks,
John
05-21-2012 03:14 AM
Hy,
Can you put some parts of the configuration?
That is, all the configuration concerning the tacacs?
Thanks,
Rui
05-21-2012 07:58 AM
rcapao wrote:
Hy,
Can you put some parts of the configuration?
That is, all the configuration concerning the tacacs?
Thanks,
Rui
Sure but some info will need to be redacted:
In NxOS, the tacacs feature is enabled and configured this way:
tacacs-server key 7
tacacs-server host
tacacs-server host
tacacs-server host
aaa group server tacacs+
server
server
server
source-interface loopback0
Then the aaa order is defined as:
aaa authentication login default group
aaa authentication login console local
The lines are configured as:
line console
exec-timeout 15
line vty
exec-timeout 15
and that's it.
In IOS it's set up this way:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs group tacacs+ local
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
!
aaa session-id common
The lines are configured like this:
line con 0
exec-timeout 15 0
line vty 0 4
exec-timeout 15 0
line vty 5 15
exec-timeout 15 0
How I read this is that in IOS local is only used if the tacacs server is unreachable, but I'm not sure what the no_tacacs is for, because it doesn't autoprompt as a keyword in gns lab I set up to check it, so I think it's a vestigial remain from an earlier config. I don't think the commands configs affect order either, as far as I've been able to tell. Is that how you read it?
Thanks
John
05-21-2012 08:55 AM
John
The no_tacacs would not auto prompt as a keyword because it is not a keyword. What you have there is a different named list to define a special authentication. If this is configured then I would expect to find somewhere is the config a line that looked something like authentication no_tacacs. You would usually configure a special named list to define an authentication that was different from the default list. In this case the named list specifies the same (tacacs+ local) as the default and so I do not see the logic in configuring it.
To illustrate what I am talking about assume that a customer wants their routers configured so that remote access using SSH to the vty ports would authenticate via tacacs with local as a fall back and they want the console configured so that it authenticates only using local user ID and password. Then you might have a configuration that looks something like this
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
line console 0
authentication no_tacacs
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: