topic Tacacs+ Authorization in Network Access Control

Tacacs+ Authorization

DenyAnyAny — Mon, 11 Mar 2019 02:42:49 GMT

Hi,

how to tell the Cisco Tacacs to only authorize users that have been authenticated by it and not by any other method? e.g. switchs are authenticating users locally and authorizing them against the tacacs server, how to prevent this?

Regards

Tacacs+ Authorization

jenny conlan — Tue, 23 Oct 2012 20:15:59 GMT

You can specify this by adding:

aaa authorization commands default group “ACS Server group name” local

That tells it to authorize by querying a specified ACS server group first; if no reply then it will use the local database

Tacacs+ Authorization

mauzamor — Tue, 23 Oct 2012 22:21:23 GMT

Hi there Maik,

This can be accomplish using "named list", for example let's say that your VTY users will use the ACS for authentication and authorization but the users who access the Console port should use authentication only against local switch database with no authorization, so we do the following:

aaa new-model

tacacs-server X.X.X.X key cisco123

aaa authentication login myacs group tacacs+

aaa authentication login mylocal local

aaa authorization commands 15 mylocalautho group tacacs+

aaa authorization config-command

line console 0

line vty 0 14

authorization command 15 mylocalautho

You can play with this and use different combinations for this feature depending on your requirements, let me know if you have any question about it.

Tacacs+ Authorization

DenyAnyAny — Wed, 24 Oct 2012 15:31:18 GMT

Hi together,

so here my config:

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default local group tacacs+ local

aaa authorization commands 15 default local group tacacs+ local

I have some local users with no password but with rsa-key:

username user1 privilege 15 nopassword

ip ssh pubkey-chain

username user1

key-hash ssh-rsa 9C4B0195499D69FED5B01C8DC70CED19

quit

user1 exists also on the ACS. When user1 tries to login, the switch authenticates it locally based on the ssh-rsa key, but authorizes it against the ACS. Strangely the ACS assumes that the user was authenticated by it. Is it possible to prevent this?

Tacacs+ Authorization

mauzamor — Wed, 24 Oct 2012 15:45:57 GMT

According with your configuration "aaa authentication login default group tacacs+ line" you are saying that all the authentication types (ssh, telnet, console) are going to use the TACACS+ server for authentication as the primary authentication method, if the TACACS+ server is down the next method is the line password, no local. I don't see any AAA command pointing the authentication to the Local switch database.

So I don't think the switch is authenticating the user, seems like the authentication request is going to the ACS server, can you verify if after the user is authenticated you have a successful passed authentication in the ACS?

Tacacs+ Authorization

DenyAnyAny — Thu, 25 Oct 2012 09:02:13 GMT

I don't find any authentication entry but an authorization one!