topic Re: AAA Problem when WAN is offline in Network Access Control

AAA Problem when WAN is offline

warwick.kane — Sun, 10 Mar 2019 21:53:28 GMT

Hi All,

I have a problem at the moment logging into a router while the WAN is offline. TACACS+ works fine when the WAN is up but when its down i get prompted for a password which i enter and then get authorisation failed...

Here is the AAA config

aaa authentication login default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

Re: AAA Problem when WAN is offline

a.kiprawih — Thu, 21 Dec 2006 03:31:03 GMT

Try adding 'local' to the end of line:

aaa authorization exec default group tacacs+ local

The 'local' refers to the local database for authorization.

Re: AAA Problem when WAN is offline

Richard Burts — Thu, 21 Dec 2006 15:39:02 GMT

Specifying local as a backup method for authorization may get around this problem, but does it not require that local user IDs and passwords be configured? Since the authentication login did not use the local IDs as backup I wonder about the logic of doing this for authorization. I have had good success by configuring authorization like this:

aaa authorization exec default group tacacs+ if-authenticated

which will bypass authorization processing if TACACS is not available and if the user has successfully authenticated.

HTH

Rick

Re: AAA Problem when WAN is offline

warwick.kane — Thu, 21 Dec 2006 22:51:09 GMT

Thanks for that Rick, Your logic is correct and it has fixed my problem. Much appreicated.