cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
672
Views
0
Helpful
4
Replies

urgent help with AAA

sherrikhan
Level 1
Level 1

Hi Guys we have following configuration in our devices

 

aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default stop-only group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 10 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

 

line con 0
exec-timeout 20 0

 

I need to know the following,if my TACACS fails

 

1- what is enable fallback, i mean how does it work? i dont remember my enable password

2- My desired scenario is if my TACACS fails, i should use local username and password. What do i need to change in the AAA. Secondly do i have to add any line under console? secondly how do i test it in production?

 

Thanks

 

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sherrikhan,

2. >> My desired scenario is if my TACACS fails, i should use local username and password

 

For this to work you need to use a different configuration using the local keyword instead of enable as second method for login authentication:

aaa authentication login default group tacacs+ local

 

1. >> i dont remember my enable password

Before TACACS fails you should change the enable password using a TACACS account with privilege 15 rights otherwise you need  to use a password recovery procedure that is platform dependent and requires physical access to the device in any case (console access is required in any case ).

 

Hope to help

Giuseppe

Giuseppe

 

So do I have to do any configuration on console ? Or if I have enable password I will be able to console it ? Do I have to remove any configuration as it says Aaa console as well

Hello Sherrykhan,

with the current configuration if you know the enable password you should be able to telnet/SSH to the device when the TACACS server fails or it is isolated from the network.

 

Physical access to the console is required for a password recover procedure to be used only if you don't know the enable password.

About the command

aaa authorization console

 

see the following thread with a very good answer from Rick Burts

https://supportforums.cisco.com/t5/aaa-identity-and-nac/aaa-authorization-console-command/td-p/1803577

 

As noted in that thread the command can cause you problems when the TACACS server is not available.

If the network devices are installed in racks that are closed and a key is required to open the rack you can consider to remove that command.

 

Hope  to help

Giuseppe

 

 

larrystover
Level 1
Level 1

tacacs server <server-name>
address ipv4 <address>
key <key value>
port <port number>

aaa group server <group-name>
server name <server-name-1>
server name <server-name-2>

 

aaa authentication login default group <group-name> local

 

Hope this helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: