Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

How to bypass TACACS on console connection

On a switch with IOS have the following AAA config:

username administrator password xxx

aaa authentication login default group TACACS-Servers local

aaa authentication enable default group TACACS-Servers enable

aaa authorization exec default group TACACS-Servers if-authenticated

aaa authorization commands 15 default group TACACS-Servers if-authenticated

aaa accounting exec default start-stop group TACACS-Servers

aaa accounting commands 15 default start-stop group TACACS-Servers

How do i configure the switch so that the console connection uses the local username instead of TACACS, and TACACS is only used for telnet?

Thanks in advance for the help!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How to bypass TACACS on console connection

I believe that you will need to create a privilege level associated with your local username and password.

username test privilege 15 password cisco123

Mark

12 REPLIES

Re: How to bypass TACACS on console connection

Gary,

Try adding the "login local" command under line con 0.

HTH,

Mark

Community Member

Re: How to bypass TACACS on console connection

Mark,

That's what i originally planned on doing, but i don't get the login local option under line con 0. I'm assuming it's because of the AAA config that i have.

These are the options under con 0:

line con 0

login ?

authentication Authentication parameters

login authentication ?

WORD Use an authentication list with this name.

default Use the default authentication list.

Re: How to bypass TACACS on console connection

Here's how to set it up with the correct syntax.

aaa authentication login console local

line console 0

login authentication console

HTH,

Mark

Community Member

Re: How to bypass TACACS on console connection

Mark,

That worked and forced me to use local username when connecting to the switch through the console port. The problem that i'm running into now that i use local username and password, it doesn't like the enable password that i'm putting in.

I get the "% Error in authentication." message. Any thoughts?

Thanks,

Gary

Re: How to bypass TACACS on console connection

I believe that you will need to create a privilege level associated with your local username and password.

username test privilege 15 password cisco123

Mark

Hall of Fame Super Gold

Re: How to bypass TACACS on console connection

Gary

Mark has good advice here. The real issue is that while you can split user authentication so that vty uses the authentication server and the console just uses local authentication, when it comes to enable you have only one choice, they both will use the remote authentication server or they will both use local authentication. And if you are going to the remote authentication server but the user authenticated locally, then the authentication server does not know who the user is and whether to admit them to enable mode or not. If you specify the privilege level with the user ID then you should get the functionality that you want.

HTH

Rick

Community Member

Hi Rick,

Hi Rick,

I was trying to do the same thing but for some reason, whatever happens, the switch will try to look for my username and password from the TACACS server and it will never check local database when I type "enable". I tried regular "enable" and "enable 15". I tried to create the same username as the one I have in TACACS locally but changed the password to something different to know where the switch is picking up the "enable auth".

Thanks,

John

aaa authentication login CONSOLE line

aaa authorization exec CONSOLE none

aaa authorization commands 0 CONSOLE none

aaa authorization commands 1 CONSOLE none

aaa authorization commands 15 CONSOLE none

 

line con 0

authorization exec CONSOLE

login authentication CONSOLE

authorization commands 0 CONSOLE

authorization commands 1 CONSOLE

authorization commands 15 CONSOLE

Hall of Fame Super Gold

I believe that your issue is

I believe that your issue is that you have specified authentication using line. This will look for a password configured on the console and not for your ID. Change it to aaa authentication login CONSOLE local and let us know if it works better. 

HTH

rick

Community Member

Thanks for the reply Rick.

Thanks for the reply Rick.

Apparently it is already asking for username and password after hitting enable.

When accessing the switch through console, our objective is to just use the line con 0 password which is working, aaa authentication login CONSOLE line and login authentication console combo.

We are hoping that if we hit enable, it will use the enable secret password instead but since we are using "aaa authentication enable default group tacacs+ enable", it is still looking for TACACS. So after hitting enable, it asks for username/password combo instead of just password which is the enable secret.

Also, isn't that the switch will check what was stated under "aaa authen enable" instead of "aaa authen login" when hitting "enable" command?

I haven't tried to simulate what you're saying as the PC I am using to go through console is dead and need someone to boot it up for me.

Thanks,

John

Hall of Fame Super Gold

John

John

I understood your first post to indicate that you wanted to login with your ID. I now understand that your question is about enable authentication. Please consider what I said in a previous post in this thread about enable authentication. You can configure enable authentication to use tacacs with local as an alternative/backup method. But when you authenticate it will try the primary and use the backup only if primary fails. 

If you want to get to enable on the console and bypass tacacs I have two suggestions each of which mean that anyone who logs in on console will be in enable mode which might be acceptable or might not. 

- on the console configure privilege level 15

- configure your local account to have privilege level 15. Change the console authentication to use local and not line. And be sure that the console has authorization local. 

HTH

Rick

Community Member

Thanks again Rick. Yes I have

Thanks again Rick. Yes I have tried the privilege level 15 earlier and after the line console password when connecting, it will immediately jump to privilege mode. Thank you so much for you inputs.

Hall of Fame Super Gold

John

John

you are welcome. Both of my suggestions have some down side but they are as close as I can come to what you really want. Unfortunately there is not a way to bypass tacacs if tacacs is working. 

HTT

Rick

6395
Views
15
Helpful
12
Replies
CreatePlease to create content