topic Re: Tacacs and local users AAA in Network Access Control

Tacacs and local users AAA

bendali10 — Mon, 11 Mar 2019 02:53:52 GMT

hi.

i have many types of cisco devices such as:

* catalyst's switches (2960, 3560, 2950,4500 chassis, etc... )

* Nexus 5548.

* Nexus 7000.

* Nexus 4K.

i have configure a tacas server and it works fine.

but i have many problems:

1. when i login with a tacacs user it logs me in without exec mode (enable mode).

2. i want to be able to login via console with a local username and password (even when the tacacs server is alive).

3. for now i have configured only the Catalyst's Switches. but i dont know the proper commands to the Nexus OS's (5k, 7k, i understand that the configuration between the nexus models is different..)...

i am testing all the environment with a "test switch" (Catalyst 2960) my current configuration is:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa session-id common

ip default-gateway 1.1.1.1

ip http server

ip http secure-server

tacacs-server host 1.1.1.2

tacacs-server key 7 1427171F09161A2E2A08

tacacs server TACACS-SRV

line con 0

line vty 0 4

transport input ssh

line vty 5 15

end

Any suggestions?

Tacacs and local users AAA

kcnajaf — Sun, 16 Dec 2012 14:28:52 GMT

Hi Bendali,

Try below modifcations.

1. when i login with a tacacs user it logs me in without exec mode (enable mode).

I thought your existing configuration would have taken you to enable mode. Since it is not try reconfiguring the aaa as below to go tor enable mode

no aaa authentication login default group tacacs+ local

aaa authentication login TACACS group tacacs+ local
line vty 0 4

login authentication TACACS

2. I want to be able to login via console with a local username and password (even when the tacacs server is alive)

To use local console login modify configuration as below

username Cisco priv 15 password Cisco

line console 0

login local

3. for now i have configured only the Catalyst's Switches. but i dont know the proper commands to the Nexus OS's

A typical confogiration for Nexus 7k looks as below.

aaa group server tacacs+ AAA-Server
aaa authentication login default group AAA-Server

feature tacacs+
ip tacacs source-interface Vlan2
tacacs-server host [ip address] key 7 "TEST"
aaa group server tacacs+ TacServer
server [ip address]
use-vrf
aaa authentication login default group TacServer
tacacs-server directed-request

Hope this helps.

Regards

Najaf

Please rate when applicable or helpful !!!

Re: Tacacs and local users AAA

bendali10 — Sun, 16 Dec 2012 14:57:48 GMT

1. i have change the TACACS group to TACACS-SRV and it works fine but still not in exec mode (enable mode)

2. i try to configure "login local" under "line con 0" but it shows:

AAA: Warning authentication list "local" is not defined for LOGIN.

i wanted him to use the "Cisco" user under login local but it didnt help..

what does it means?

3. in the config command: ip tacacs source-interface Vlan2.

what does it means?

Tacacs and local users AAA

kcnajaf — Sun, 16 Dec 2012 15:51:45 GMT

Hi,

Which version of IOS you are running.

1) Try adding another line as below

aaa authentication login TACACS group tacacs+ local

no aaa authentication login default group tacacs+ local

aaa authentication login TACACS group tacacs+ local
line vty 0 4

login authentication TACACS

Hope you are configuring this in the same line order.

2) Try modifying config as below

aaa authentication login no_tacacs local

line con 0

login authentication no_tacacs

3) This command ensures the tacacs request is orginated from vlan 2 in this case. For your configuration you will have find the right interface and put in there instead of vlan 2. Please be aware that what ever interface ip address which you are using here should be added as aaa client on the ACS server.

Hope that helps.

Regards

Najaf

Re: Tacacs and local users AAA

bendali10 — Sun, 16 Dec 2012 15:59:15 GMT

i am running IOS 15.0(2)SE

1. yes i am posting that in the same order.

when i try to add "no aaa authentication login default group tacacs+ local" it shows me:

Authentication method list update failed!!

2. when i try " login authentication no_tacacs"

it shows me:

AAA: Warning authentication list "no_tacas" is not defined for LOGIN.

3. thanks for the verification.

ben

Tacacs and local users AAA

kcnajaf — Sun, 16 Dec 2012 16:37:42 GMT

Hi Ben,

I would request to wipe all aaa configuration (use no aaa new-model) and apply one by one in below order.

username Cisco priv 15 password Cisco

aaa new-model

aaa authentication login no_tacacs local

aaa authentication login TACACS group tacacs+ local

line con 0

login authentication no_tacacs

line vty 0 4

login authentication TACACS

Let me know how is goes.

Regards

Najaf

Re: Tacacs and local users AAA

bendali10 — Tue, 18 Dec 2012 13:27:34 GMT

Hi Najaf.

sorry for the Deelay.i was OOO (out of office).

ok so i did what you posted and it works. i am able to login with local user thru CONSOLE and i am able to login thru SSH with a tacacs user..but i have some questions:

1. when i loggen in ith a local or a tacas user i'm still not in exec mode.

2. before i configure those commands when i login with a tacacs user the "enable" password was the tacacs user password. and right now the enable password is the "local enable secret".why?

3. i created in the tacacs server two user groups with a different permissions and when i am logged in with one of the both group users they have the same permissions (before this config i tested it and there was a difference between the users that are member of two different groups in the tacacs server...).

4. what happends to the accounting on the tacacs server? because in this config i dont have any configuration about "aaa accounting"?

Regards...

ben

Re: Tacacs and local users AAA

kcnajaf — Mon, 24 Dec 2012 09:48:26 GMT

Hi Ben,

I didnt notice your reply. Sorry for that.

For point 1 could you please provide full aaa configuration currently you are using.

For point 2 you could additional command which will enable you to use your tacacs password from ACS.

aaa authentication enable default tacacs+ enable

For point 3 im not sure why this is happening? What access permission you have restricted between users of both groups.

For point 4 you need to enable "aaa accouting"

Regards

Najaf

Re: Tacacs and local users AAA

bendali10 — Mon, 24 Dec 2012 12:54:55 GMT

Hi Najaf.

1. I configured all what you recommended. But I will insert all my current configuration in the bottom of this post.

2. I configured the “aaa authentication enable default tacacs+ enable” and it works fine and use the user password to switch to “enable mode”. But when I login with the Cisco user via CONSOLE it doesn’t let me to use the local enable secret.it shows me “User does not belong to specified group”.

3. I have created 2 groups in the tacacs server:

Cisco admin group
Cisco RO group (RO=read only)

The “cisco admin group” - have the highest level permissions and can execute every command.

The cisco RO group – can switch to “enable mode” and from “enable mode” to disable mode”. He also can run all the “show” commands but cant execute any other command such as “reload”, “dir”, “wr” etc…

I have tested it and it was working before I configure the last commande you recommended.

4. Thanks. I will configure the accounting according to the authentication methods.

My current config is:

Current configuration : 1989 bytes

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname tacacs_Switch

boot-start-marker

boot-end-marker

enable secret 4 lkdsjfklfjsdlkfjs4823748!@#$@#498fhsflkjfs

username admin privilege 15 password 7 XXXXXXXXXXXXXXXXX

username Cisco privilege 15 password 7 XXXXXXXXXXXXX

aaa new-model

aaa authentication login no_dce-mgmt00 local

aaa authentication login dce-mgmt00 group tacacs+ local

aaa session-id common

system mtu routing 1500

no ip domain-lookup

ip domain-name test.local

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

ip ssh rsa keypair-name sshkeys

interface FastEthernet0/1

interface FastEthernet0/2

interface FastEthernet0/3

interface FastEthernet0/4

interface FastEthernet0/5

interface FastEthernet0/6

interface FastEthernet0/7

interface FastEthernet0/8

interface FastEthernet0/9

interface FastEthernet0/10

interface FastEthernet0/11

interface FastEthernet0/12

interface FastEthernet0/13

interface FastEthernet0/14

interface FastEthernet0/15

interface FastEthernet0/16

interface FastEthernet0/17

interface FastEthernet0/18

interface FastEthernet0/19

interface FastEthernet0/20

interface FastEthernet0/21

interface FastEthernet0/22

interface FastEthernet0/23

interface FastEthernet0/24

interface GigabitEthernet0/1

description upplink to HP switch

interface GigabitEthernet0/2

interface Vlan1

description tacacs ip switch ip

ip address 1.1.1.10 255.255.255.0

ip default-gateway 1.1.1.1

ip http server

ip http secure-server

tacacs server dce-mgmt00

address ipv4 1.1.1.2

key 7 0034161201493B030101

line con 0

login authentication no_dce-mgmt00

line vty 0 4

login authentication dce-mgmt00

transport input ssh

line vty 5 15

end

Ben

Re: Tacacs and local users AAA

kcnajaf — Mon, 24 Dec 2012 14:24:54 GMT

Hi Ben,

For the console access you have to use the username and password associated with the username Cisco if you are trying to autheticate using that credentials. If you try to use the enable secret it will not work. You have configured the Cisco username as privellage level 15 and hence this will not ask you enable password when you try to login to console since this username already have level 15 privellage.

For point 3 could be brief which command are you refering here? "I have tested it and it was working before I configure the last commande you recommended"

Please try after removing this command and see if that works as expected.

Regards

Najaf

Re: Tacacs and local users AAA

bendali10 — Mon, 24 Dec 2012 14:43:39 GMT

Hi.

Unfortunately when i login thru CONSOLE with the user "Cisco" it still logs mm in "disabled mode" and to switch to exec mode i must use the "enable password" even that i configured the Cisco user to privilege 15.

for point 3. i tested two users on the switch.

each user is a member of a different group.

user A1 is member of "cisco admin group" and user B2 is member of "cisco RO group".

before i configured the following commands you recommended I was not able to run the “reload” command with the user B2 (and that’s was good because these are one of the restrictions of the group).but after I configured these commands he can run the “reload” or any command that should be restricted to this users because he is a member of “cisco RO group” (in the tacacs server).

username Cisco priv 15 password Cisco

aaa new-model

aaa authentication login no_tacacs local

aaa authentication login TACACS group tacacs+ local

line con 0

login authentication no_tacacs

line vty 0 4

login authentication TACACS

only user that is a member of “cisco admin groups” should have the permissions to run any commands and not users from “cisco RO groups”.

Suggestions?

Regards

Ben

Re: Tacacs and local users AAA

kcnajaf — Tue, 25 Dec 2012 02:56:07 GMT

Hi Ben,

For point 1 which version of IOS you are running? This should work as expectedand not sure why this is not working for you. Also i'm not sure what you meant here by "it still logs mm in "disabled mode"".

For point 3 you could try setting authetrization with below commands.

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

Regards

Najaf

Re: Tacacs and local users AAA

bendali10 — Wed, 26 Dec 2012 14:06:18 GMT

my switch version:

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 26 WS-C2960-24TT-L 15.0(2)SE C2960-LANBASEK9-M

for point 3 i tried to run the last commands but it didnt reach our goal..

Regards.

ben

Tacacs and local users AAA

Andre Toms — Wed, 20 Mar 2013 19:11:32 GMT

On the tacacs server (if youre running in linux anyway) you need to set privilege 15 for the admin group or user you have configured. Here is a snippet of my configuration for example:

group = lv15 {

default service = permit

service = shell {

default command = permit

default attribute = permit

set priv-lvl = 15

}

Here you can see that it specifically sets ANY USER WHO MATCHES THIS GROUP to privilege level 15. This ties into an LDAP backend where users are added to the group that they need to be in.