topic So now I am using aaa in Network Access Control

ACS 5.8 startup questions

Florin Barhala — Mon, 11 Mar 2019 06:24:42 GMT

Hi guys,

Just starting this ACS implementation and hope I can clear up some upfront questions.

ACS version : 5.8.0.32; I have joined it to our AD and created an authorization policy on the Default Device Admin tab.

Then moved to one of our switches (2960X running 15.0(2)EX5) and added the following config:

tacacs server ACS
address ipv4 172.17.17.132
key 7 07157014185A11541D21392B0D
timeout 1

aaa new-model
aaa authentication login TACACS_AUTH group tacacs+ local
aaa authentication login LOCAL_DB local

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local
aaa authorization config-commands

line console 0
login authentication LOCAL_DB

line vty 0 15
login authentication TACACS_AUTH

Here's what I got:

1. If I use aaa authorization exec default local group tacacs+ if-authenticated I get my AD user put to privilege 15. If instead I switch the authorization order to aaa authorization exec default group tacacs+ local if-authenticated as I would think it make sense I get my AD user on privilege 1.

2. We're using SecureCRT for some time now and for any SSH session it saved our passwords (authentication is currently done via NPS Radius server). But for this test switch which uses TACACS it asks for my password every time. Anyone encountered similar behavior? Each of our SSH sessions in Secure CRT uses first Password authentication method.

1. With this command "aaa

Jatin Katyal — Thu, 21 Jan 2016 15:39:20 GMT

1. With this command "aaa authorization exec default local group tacacs+ if-authenticated - your local database will be checked first and if user not found there then after around 30 seconds it will be queries against the tacacs server. If-authenticated has no requirement for access to ACS, its just a local config, saying, Allows the user to access the requested function if the user is authenticated. It's letting your user to land on privilege 15 because your user have level 15 privilege. With this command - aaa authorization exec default group tacacs+ local if-authenticated - you are checking first against tacacs and you most likely not pushing shell:profile with priv 15 for the user. As a best practice, I'd suggest you to configure aaa authorization exec default group tacacs+ if-authenticated

2. Check this - > https://forums.vandyke.com/showthread.php?t=11944

- Jatin

Thanks for the feedback!

Florin Barhala — Thu, 21 Jan 2016 15:49:22 GMT

Thanks for the feedback!

Let's see:

1. If I am to use aaa authorization exec default group tacacs+ if-authenticated along with existing:

aaa authentication login TACACS_AUTH group tacacs+ local

username florin privilege 15 secret etc3435

and ACS server is not available, what privilege is the local user going to get?

Next to that, if ACS is reachable and I pick instead just aaa authorization exec default group tacacs+ what's the drawback here?

2. I was using by default Password authentication method on Secure CRT. I found somewhere that I should switch to Keyboard interactive instead (as the 1st method), still at this point I am not sure this is a Secure CRT issue or ACS&Test_switch poor configuration issue.

1. You should use the same

Jatin Katyal — Sat, 23 Jan 2016 21:59:37 GMT

1. You should use the same list for login authentication and exec authorization. If ACS server is not available, the user will get privilege 15 because for the local user you've privilege 15 defined on the device database.

If ACS is reachable and you have aaa authorization exec default group tacacs+ then shell-priv=15 will be sent by tacacs and user will get privilege 15.

2. As far as SecureCRT is concerned, try Putty / Putty Session manager to eliminate the issue.

HTH

~ Jatin

So now I am using aaa

Florin Barhala — Thu, 28 Jan 2016 08:42:35 GMT

So now I am using aaa authorization exec default group tacacs+ if-authenticated and it works fine.

Now I am left with this issue:

- first time on the day I login on the switch I receive "bad password" and have to reenter it

- for about 20-30 minutes if I connect to the equipment password is not required.

- if I exceed 30 minutes, when I login I am again prompted for password although "save password" option is always enabled.

Now this happens for my username: fbarhala@rom.ourdomain.com

So I created a test user: testACS@ourdomain.com. And believe it or not I am not asked to enter the password at any time.

Last but not least the ACS has joined ourdomain.com and as you can think rom.ourdomain.com is serviced by another DC place on a different location.

Any suggestion here?

For the first issue, if you

Jatin Katyal — Sun, 31 Jan 2016 17:17:12 GMT

For the first issue, if you see a bad password on the IOS then check what tacacs has to say about it.

I'm not sure if this issue is related with SecureCRT because I've never seen this issue with AAA. Check if SecureCRT or AD has some password policy that suspend the user for 30 mins after x number of failed attempts.

User shouldn't face any issues while authenticating against ACS as long as both domains have 2-way trust established.

~ Jatin