topic Re: AAA Command Question in Network Access Control

AAA Command Question

dbarboza27 — Mon, 11 Mar 2019 00:09:35 GMT

Hi,

I have a question about AAA commands. In aaa, I have defined the following:

aaa new-model
!
aaa authentication login default group tacacs+ local enable

aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common

line con 0
authorization exec con_acc
login authentication con_acc

Based on that configuration, I guess that the router uses the default method. There is none method called con_acc either for authentication or authorization, so I understand that when the router fails to get the method espicified, it has to look for default.

Could some one clarify.

Thanks,

Re: AAA Command Question

Jatin Katyal — Mon, 24 May 2010 19:01:42 GMT

Doug,

I don't see any method listed created in the mentioned configuration so there is no use of these two commands

authorization exec con_acc
login authentication con_acc

Also, how did you call this method-list when you haven't defined globally. Did you just pick the config from somewhere and posted here or this a part of your running configuration.

I would suggest you to delete the above mentoned commands or create method-list. Also, when users fail the authentication with tacacs server then they can access the device using local username and password if created.

Sh run | in user <------------------You can check

let me know if you need any further help.

HTH

Do rate helpful posts-

Re: AAA Command Question

Jagdeep Gambhir — Mon, 24 May 2010 19:12:13 GMT

Hi Doug,

Yes, it will use default incase method specified in not available in the config.

Regards,

~JG

Do rate helpful posts