topic Tacacs Authorization in Network Access Control

Tacacs Authorization

jharper2 — Thu, 01 Mar 2018 21:56:59 GMT

Below is my current tacacs configuration. I am trying to configure my ASR which is running Cisco IOS XR ver 5.3.3. I am trying to configure my device for when the tacacs server is unavailable I can still log in and make configurations. When I input the configuration I receive an error and I am not sure why.

Tacacs Config:

aaa accounting exec default start-stop group tacacs+

aaa accounting commands default stop-only group tacacs+

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 group tacacs+

aaa authorization commands 1 group tacacs+

aaa authorization commands 15 group tacacs+

aaa authorization commands default group tacacs+

aaa authorization eventmanager default local

aaa authorization eventmanager tcluser local

aaa authentication login default group tacacs+ local

Error:

#aaa authorization commands default group tacacs+ local

% Invalid input detected at '^' marker.

Re: Tacacs Authorization

hslai — Fri, 02 Mar 2018 00:41:42 GMT

If you've already validated that no syntax issue, then please consult with the support team for the ASR or Cisco IOS XR. It might be a bug in that platform.

Re: Tacacs Authorization

danielsai — Fri, 02 Mar 2018 02:33:09 GMT

Hi Justin,

I believe the syntax on ASR have to be

" aaa authorization commands 15 default group tacacs+ local " or

" aaa authorization commands 0 default group tacacs+ local "

Got to put enable level.

Regards,

Sai

Re: Tacacs Authorization

hslai — Fri, 02 Mar 2018 04:24:44 GMT

Sai is correct. On Cisco IOS or the like, the commands are associated with run levels. If you have customized commands to some specific levels, then just follow the same syntax to add the additional run levels.

Re: Tacacs Authorization

jharper2 — Fri, 02 Mar 2018 15:27:58 GMT

I have validated the syntax issue. And I have tried adding the local group to the enable levels I still get an error. Below is the output from the syntax validation:

aaa authorization commands default group tacacs+ group local

(config)#commit

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors

(config)#show configuration failed

!! SEMANTIC ERRORS: This configuration was rejected by

!! the system due to semantic errors. The individual

!! errors with each failed configuration command can be

!! found below.

aaa authorization commands default group tacacs+ group local

!!% An invalid method was specified in the message or required configuration is missing: %AAA-3-ILLEGALNAME: Illegal authorization server-group name "local" rejected

end

Re: Tacacs Authorization

hslai — Fri, 02 Mar 2018 17:15:47 GMT

If it working without "local", then it seems in that particular IOS-XR release and ASR platform combination does not support local for "default". I do not think you need that anyway if all the run-levels are explicitly specified.