topic Tacacs Fallback and console login in Network Access Control

Tacacs Fallback and console login

m.steinhoff — Sun, 10 Mar 2019 21:59:20 GMT

Hello,

I am trying to create a tacacs config that will make sure that when you log onto the console you do not get tacacs and that we are on line login and local enable. If connectivity to the tacacs server is lost, the login for telnet defaults to the line password and uses the local enable password.

My config:

aaa authentication login default group tacacs+ line

aaa authentication login CONSOLE line

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec CONSOLE none

aaa authorization commands 1 default if-authenticated

aaa authorization commands 15 default if-authenticated

aaa authorization commands 1 CONSOLE none

aaa authorization commands 15 CONSOLE none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

line con 0

password xxxxx

authorization exec CONSOLE

end

Thanks

msteinhoff

Re: Tacacs Fallback and console login

Richard Burts — Thu, 15 Feb 2007 14:57:39 GMT

msteinhoff

Your config looks pretty good to me. For telnet authentication it should use tacacs and if tacacs is not available it will use the line password. The console will not use tacacs for authentication and will use the line password. Both telnet and console will use tacacs to authenticate enable and will fall back to the locally configured enable/enable secret if tacacs is not available.

Mostly I think the configuration of authorization is fine. I would suggest one minor fine tuning. Instead of:

aaa authorization exec CONSOLE none

I would suggest this:

aaa authorization exec CONSOLE if-authenticated

HTH

Rick

Re: Tacacs Fallback and console login

daviddtran — Thu, 15 Feb 2007 16:51:32 GMT

This is exactly what you need:

aaa authentication login notac none

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ group tacacs+

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

aaa accounting exec TAC start-stop group tacacs+

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands 0 TAC start-stop group tacacs+

aaa accounting commands 0 VTY start-stop group tacacs+

aaa accounting commands 1 TAC start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 10 TAC start-stop group tacacs+

aaa accounting commands 15 TAC start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting network VTY start-stop group tacacs+

aaa accounting connection TAC start-stop group tacacs+

line con 0

exec-timeout 0 0

authorization exec notac

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

logging synchronous

line vty 0 15

exec-timeout 0 0

authorization commands 0 VTY

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec VTY

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

transport input ssh

This will give very fine control on what user(s) can and can not do. I use this configuration with Freeware TACACS and it

works wonder for me.

Good luck.

David

CCIE Security