On a switch with IOS have the following AAA config:
username administrator password xxx
aaa authentication login default group TACACS-Servers local
aaa authentication enable default group TACACS-Servers enable
aaa authorization exec default group TACACS-Servers if-authenticated
aaa authorization commands 15 default group TACACS-Servers if-authenticated
aaa accounting exec default start-stop group TACACS-Servers
aaa accounting commands 15 default start-stop group TACACS-Servers
How do i configure the switch so that the console connection uses the local username instead of TACACS, and TACACS is only used for telnet?
Thanks in advance for the help!
Solved! Go to Solution.
That's what i originally planned on doing, but i don't get the login local option under line con 0. I'm assuming it's because of the AAA config that i have.
These are the options under con 0:
line con 0
authentication Authentication parameters
login authentication ?
WORD Use an authentication list with this name.
default Use the default authentication list.
Here's how to set it up with the correct syntax.
aaa authentication login console local
line console 0
login authentication console
That worked and forced me to use local username when connecting to the switch through the console port. The problem that i'm running into now that i use local username and password, it doesn't like the enable password that i'm putting in.
I get the "% Error in authentication." message. Any thoughts?
Mark has good advice here. The real issue is that while you can split user authentication so that vty uses the authentication server and the console just uses local authentication, when it comes to enable you have only one choice, they both will use the remote authentication server or they will both use local authentication. And if you are going to the remote authentication server but the user authenticated locally, then the authentication server does not know who the user is and whether to admit them to enable mode or not. If you specify the privilege level with the user ID then you should get the functionality that you want.
I was trying to do the same thing but for some reason, whatever happens, the switch will try to look for my username and password from the TACACS server and it will never check local database when I type "enable". I tried regular "enable" and "enable 15". I tried to create the same username as the one I have in TACACS locally but changed the password to something different to know where the switch is picking up the "enable auth".
aaa authentication login CONSOLE line
aaa authorization exec CONSOLE none
aaa authorization commands 0 CONSOLE none
aaa authorization commands 1 CONSOLE none
aaa authorization commands 15 CONSOLE none
line con 0
authorization exec CONSOLE
login authentication CONSOLE
authorization commands 0 CONSOLE
authorization commands 1 CONSOLE
authorization commands 15 CONSOLE
I believe that your issue is that you have specified authentication using line. This will look for a password configured on the console and not for your ID. Change it to aaa authentication login CONSOLE local and let us know if it works better.
Thanks for the reply Rick.
Apparently it is already asking for username and password after hitting enable.
When accessing the switch through console, our objective is to just use the line con 0 password which is working, aaa authentication login CONSOLE line and login authentication console combo.
We are hoping that if we hit enable, it will use the enable secret password instead but since we are using "aaa authentication enable default group tacacs+ enable", it is still looking for TACACS. So after hitting enable, it asks for username/password combo instead of just password which is the enable secret.
Also, isn't that the switch will check what was stated under "aaa authen enable" instead of "aaa authen login" when hitting "enable" command?
I haven't tried to simulate what you're saying as the PC I am using to go through console is dead and need someone to boot it up for me.
I understood your first post to indicate that you wanted to login with your ID. I now understand that your question is about enable authentication. Please consider what I said in a previous post in this thread about enable authentication. You can configure enable authentication to use tacacs with local as an alternative/backup method. But when you authenticate it will try the primary and use the backup only if primary fails.
If you want to get to enable on the console and bypass tacacs I have two suggestions each of which mean that anyone who logs in on console will be in enable mode which might be acceptable or might not.
- on the console configure privilege level 15
- configure your local account to have privilege level 15. Change the console authentication to use local and not line. And be sure that the console has authorization local.
Thanks again Rick. Yes I have tried the privilege level 15 earlier and after the line console password when connecting, it will immediately jump to privilege mode. Thank you so much for you inputs.
you are welcome. Both of my suggestions have some down side but they are as close as I can come to what you really want. Unfortunately there is not a way to bypass tacacs if tacacs is working.