topic Can't establish local login/authorization on 6500's in Network Access Control

Can't establish local login/authorization on 6500's

ckilday — Mon, 11 Mar 2019 03:08:13 GMT

I have a need to allow a small group of users temporary level-15 access to several 6500

switches (running 12.2-33 SXJ2 code), but do not want to provide them with the enable secret password which is used on the

rest of the network (over 1200 devices). I tried to eliminate AAA using the "no aaa new-model" command, but was told I could not remove aaa while there were active sessions, and "login local" no longer appeared as an option for vty lines. So, I created a local user database called "support" which I used to replace the "group" entry in the authentication and authorization sections of our AAA config and for login on vty 0 4.

[The username is given a privilege level of 15 along with an individual password for authentication. (ex. username jsmith privilege 15 password 0 xxxxx)]

I modified our AAA configuration to support local login, but was unable to establish "enable mode" (i.e. # prompt) with any account. I

can login locally, but only to a normal "user mode" (i.e. > prompt).

Here is the current, unmodified and sanitized config for our AAA and line vty 0 4 sections. Please tell me what needs

to stay and what needs to go. Thank you!

P.S.: for security reasons, we want to track individual activity, so need the accounting portion of aaa to stay.

aaa new-model
aaa group server tacacs+ XXXXXX
server xxx.xxx.xxx.xxx
server xxx.xxx.xxx.xxx
!
aaa authentication login default group XXXXXX enable
aaa authentication enable default enable
aaa authorization exec default group XXXXXX none
aaa authorization commands 15 default if-authenticated
aaa authorization network default group XXXXXX none
aaa authorization network MLPPP-PPP none
aaa authorization network MLPPP none
aaa accounting exec default start-stop group XXXXXX
aaa accounting commands 15 default start-stop group XXXXXX
aaa accounting network default start-stop group XXXXXX
aaa accounting connection default start-stop group XXXXXX
aaa accounting system default start-stop group XXXXXX
!
line vty 0 4
access-class 75 in
exec-timeout 15 0
privilege level 0
password 7 xxxxxxxxxxxxxxxxxxx
transport input ssh

Can't establish local login/authorization on 6500's

nspasov — Fri, 01 Mar 2013 17:09:01 GMT

I will probably need more info before I can provide more help but from I am seeing in the snip-it, you have aaa configured and your AAA server is a TACACS+ server. If that is the case you should keep in mind the following:

1. If the authentication/authorization commands are referencing the TACACS+ group then you will need to add "local" at the end of the command. This will allow local accounts to be used when the AAA server is down/unreachable

2. Keep in mind that the local users will ONLY be used when the AAA server is down/unreachable. You cannot have a mixture of both

Side question, since you have a TACACS+ server, why don't you just create temporary accounts directly on the TACACS+ server vs local accounts? You can get very granular that way and only permit certain commands on certain devices, during certain time of the day, etc...

Hope this helps and thank you for rating!

Can't establish local login/authorization on 6500's

Amjad Abdullah — Tue, 05 Mar 2013 07:45:01 GMT

Great answer Neno. +5.

Users authenticating from AAA with Priv-Level 15 will not need to provide the enable secret password (just do the correct config on ACS).

Rating useful replies is more useful than saying "Thank you"