topic Order of authentication in Network Access Control

Order of authentication

John Biederstedt — Mon, 11 Mar 2019 02:06:19 GMT

I have the following AAA authentication config:

aaa authentication login default group tacacs+ local

Currently, local authentication doesn't seem to work. If the tacacs server is unavailable, will local authentication work, or fail? I'm thinking it will authenticate locally. I'd like to configure it so that it will only authenticate locally if the tacacs server is unavailable. Any advice would help.

Order of authentication

Jennifer Halim — Mon, 21 May 2012 04:01:26 GMT

You are correct, the configuration "aaa authentication login default group tacacs+ local" will work as you describe, ie: if tacacs server is not available, it will fall back to use local authentication.

It will only fall to use the local database if tacacs server is not available, if authentication failed through tacacs, the authentication will be unsuccessful, not fall to use local DB.

How do you test that tacacs server is not available? do you disconnect the tacacs from the network? configure access-list to temporary block request to tacacs? can you also run some debugs to see what it says "debug aaa authentication"

Order of authentication

rcapao — Mon, 21 May 2012 10:14:51 GMT

Hy,

Can you put some parts of the configuration?

That is, all the configuration concerning the tacacs?

Thanks,

Rui

Re: Order of authentication

John Biederstedt — Mon, 21 May 2012 14:58:37 GMT

rcapao wrote:

Hy,

Can you put some parts of the configuration?

That is, all the configuration concerning the tacacs?

Thanks,

Rui

Sure but some info will need to be redacted:

In NxOS, the tacacs feature is enabled and configured this way:

tacacs-server key 7

tacacs-server host

aaa group server tacacs+

server

source-interface loopback0

Then the aaa order is defined as:

aaa authentication login default group

aaa authentication login console local

The lines are configured as:

line console

exec-timeout 15

line vty

exec-timeout 15

and that's it.

In IOS it's set up this way:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs group tacacs+ local

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa session-id common

The lines are configured like this:

line con 0

exec-timeout 15 0

line vty 0 4

exec-timeout 15 0

line vty 5 15

exec-timeout 15 0

How I read this is that in IOS local is only used if the tacacs server is unreachable, but I'm not sure what the no_tacacs is for, because it doesn't autoprompt as a keyword in gns lab I set up to check it, so I think it's a vestigial remain from an earlier config. I don't think the commands configs affect order either, as far as I've been able to tell. Is that how you read it?

Thanks

John

Re: Order of authentication

John Biederstedt — Mon, 21 May 2012 15:08:25 GMT

Thanks so much for the reply - I really appreciate it.

I responded below with more detail below to rcapao reply. I realized that the above initial post was rather terse. Care to check it out and see if my current interpetation holds up?

Thanks,

John

Order of authentication

Richard Burts — Mon, 21 May 2012 15:55:24 GMT

John

The no_tacacs would not auto prompt as a keyword because it is not a keyword. What you have there is a different named list to define a special authentication. If this is configured then I would expect to find somewhere is the config a line that looked something like authentication no_tacacs. You would usually configure a special named list to define an authentication that was different from the default list. In this case the named list specifies the same (tacacs+ local) as the default and so I do not see the logic in configuring it.

To illustrate what I am talking about assume that a customer wants their routers configured so that remote access using SSH to the vty ports would authenticate via tacacs with local as a fall back and they want the console configured so that it authenticates only using local user ID and password. Then you might have a configuration that looks something like this

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs local

line console 0

authentication no_tacacs

HTH

Rick