https://community.cisco.com/t5/network-access-control/aaa-authorization-local/m-p/3372889#M545184 <P>Hi,</P> <P>I need to make sure that my understanding is correct.</P> <P>I have below configuration on Cisco IOS:</P> <P>&nbsp;</P> <P style="padding-left: 30px;">aaa authentication login default none<BR />aaa authentication login secure_ group tacacs+ group radius local<BR />aaa authorization exec default none<BR />aaa authorization exec secure_ group tacacs+ group radius local</P> <P style="padding-left: 30px;">&nbsp;</P> <P>The authentication and authorization order is 1) TACACS+; 2) RADIUS; 3) Local. Is it correct?</P> <P>Then, if the TACACS+ server is down, it will fallback to RADIUS, isn't it?</P> <P>And when RADIUS is also down, it will use local username, correct?</P> <P>Also, I don't use 'if-authenticated' command on authorization above because there is local as the last option fallback. Is it okay?</P> <P>&nbsp;</P> <P>Thank you</P> Fri, 21 Feb 2020 18:54:25 GMT Arie -- 2020-02-21T18:54:25Z https://community.cisco.com/t5/network-access-control/aaa-authorization-local/m-p/3372889#M545184 <P>Hi,</P> <P>I need to make sure that my understanding is correct.</P> <P>I have below configuration on Cisco IOS:</P> <P>&nbsp;</P> <P style="padding-left: 30px;">aaa authentication login default none<BR />aaa authentication login secure_ group tacacs+ group radius local<BR />aaa authorization exec default none<BR />aaa authorization exec secure_ group tacacs+ group radius local</P> <P style="padding-left: 30px;">&nbsp;</P> <P>The authentication and authorization order is 1) TACACS+; 2) RADIUS; 3) Local. Is it correct?</P> <P>Then, if the TACACS+ server is down, it will fallback to RADIUS, isn't it?</P> <P>And when RADIUS is also down, it will use local username, correct?</P> <P>Also, I don't use 'if-authenticated' command on authorization above because there is local as the last option fallback. Is it okay?</P> <P>&nbsp;</P> <P>Thank you</P> Fri, 21 Feb 2020 18:54:25 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-local/m-p/3372889#M545184 Arie -- 2020-02-21T18:54:25Z https://community.cisco.com/t5/network-access-control/aaa-authorization-local/m-p/3372909#M545185 <P>I'm not sure why you have these 2 commands if you want to be authenticated against TACACS+, then radius and then local if the prior method is not available. The below listed command will not authenticate user due to default list.</P> <P>&nbsp;</P> <P>aaa authentication login default none</P> <P>aaa authorization exec default none</P> <P>&nbsp;</P> <P>regarding "if-authenticated" read <A title="this" href="https://supportforums.cisco.com/t5/aaa-identity-and-nac/if-authenticated/td-p/1248124" target="_self">this</A></P> <P>&nbsp;</P> Wed, 25 Apr 2018 15:40:45 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-local/m-p/3372909#M545185 Jatin Katyal 2018-04-25T15:40:45Z https://community.cisco.com/t5/network-access-control/aaa-authorization-local/m-p/3373257#M545186 <P>Hi,</P> <P>I'm sorry. Let me put the complete configuration</P> <P>&nbsp;</P> <P>&nbsp;</P> <PRE>aaa authentication login default none aaa authentication login secure_ group tacacs+ group radius local aaa authorization exec default none aaa authorization exec secure_ group tacacs+ group radius local aaa accounting exec default start-stop group tacacs+ group radius aaa accounting exec secure_ start-stop group tacacs+ group radius line con0 line vty 0 15 login authentication secure_ authorization exec secure_ accounting exec secure_</PRE> <P>I have another question regarding with configuration above, if I put "aaa authorization console", does it enable authorization on console automatically?</P> <P>&nbsp;</P> <P>Thank you</P> Thu, 26 Apr 2018 03:34:53 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-local/m-p/3373257#M545186 Arie -- 2018-04-26T03:34:53Z