Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Configuring AAA to include local auth for Console connections

Recently realized, during a maintenance window, that my AAA configurations are not set to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct setup. Below is what I have configured today:

 

aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ 
aaa accounting commands 15 default start-stop group tacacs+

 

tacacs-server host x.x.x.x
tacacs-server timeout 120
tacacs-server directed-request
tacacs-server key <key>

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions

Okay... if you want that, you

Okay... if you want that, you're going to need to configure a fallback option on your aaa login and enable authentication lines. Throw a "local" keyword on the end of those and that will get you what you're looking for.

I'm a bit concerned that the "aaa authentication console" isn't showing up in your configuration. It makes me think that it will only survive until the next reload.

Are you running at the latest revision of your IOS version?

8 REPLIES

Just add "aaa authorization

Just add "aaa authorization console" and you should be good.

New Member

Would I add that as a

Would I add that as a separate line, or to the current one? Examples:

 

aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ 
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization console

    OR

aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ console
aaa accounting commands 15 default start-stop group tacacs+

 

It's a separate line. AAA is

It's a separate line. AAA is disabled on the console by default. Adding that line enables it.

New Member

Hmm, that's interesting. The

Hmm, that's interesting. The config I pasted in at the beginning is what I have now, yet my console port is forcing AAA to be used in order to log in.

So a "show run | i aaa

So a "show run | i aaa authorization console" doesn't show anything, but you're getting the behaviour you wanted? What IOS version are you running? I have a vague memory of some of the older ones not recording that command, but it's been awhile.

New Member

Sure thing (see below)! My

Sure thing (see below)! My preference is that the Console port either uses AAA up front and falls back to local credentials if ACS becomes unavailable, or that the Console port only uses local credentials.

 

CORE1#sh run | i aaa authorization console
CORE1#sh run | i aaa
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ 
aaa accounting commands 15 default start-stop group tacacs+

Okay... if you want that, you

Okay... if you want that, you're going to need to configure a fallback option on your aaa login and enable authentication lines. Throw a "local" keyword on the end of those and that will get you what you're looking for.

I'm a bit concerned that the "aaa authentication console" isn't showing up in your configuration. It makes me think that it will only survive until the next reload.

Are you running at the latest revision of your IOS version?

New Member

Older 4507's, running 12.2(50

Older 4507's, running 12.2(50)SG3, so not entirely surprised some config's are having issues. Hoping to replace next year.

 

Thanks again for the help!

468
Views
0
Helpful
8
Replies