04-11-2018 05:02 AM - edited 03-08-2019 02:36 PM
Hi Guys we have following configuration in our devices
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 10 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
line con 0
exec-timeout 20 0
I need to know the following,if my TACACS fails
1- what is enable fallback, i mean how does it work? i dont remember my enable password
2- My desired scenario is if my TACACS fails, i should use local username and password. What do i need to change in the AAA. Secondly do i have to add any line under console? secondly how do i test it in production?
Thanks
04-11-2018 05:15 AM
Hello Sherrikhan,
2. >> My desired scenario is if my TACACS fails, i should use local username and password
For this to work you need to use a different configuration using the local keyword instead of enable as second method for login authentication:
aaa authentication login default group tacacs+ local
1. >> i dont remember my enable password
Before TACACS fails you should change the enable password using a TACACS account with privilege 15 rights otherwise you need to use a password recovery procedure that is platform dependent and requires physical access to the device in any case (console access is required in any case ).
Hope to help
Giuseppe
Giuseppe
04-11-2018 04:04 PM
04-12-2018 01:03 AM
Hello Sherrykhan,
with the current configuration if you know the enable password you should be able to telnet/SSH to the device when the TACACS server fails or it is isolated from the network.
Physical access to the console is required for a password recover procedure to be used only if you don't know the enable password.
About the command
aaa authorization console
see the following thread with a very good answer from Rick Burts
As noted in that thread the command can cause you problems when the TACACS server is not available.
If the network devices are installed in racks that are closed and a key is required to open the rack you can consider to remove that command.
Hope to help
Giuseppe
04-11-2018 05:31 AM
tacacs server <server-name>
address ipv4 <address>
key <key value>
port <port number>
aaa group server <group-name>
server name <server-name-1>
server name <server-name-2>
aaa authentication login default group <group-name> local
Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: