topic Re: Problems with AAA Authorization on console in Network Access Control

Problems with AAA Authorization on console

russell.sage — Fri, 13 Nov 2020 12:24:00 GMT

I have read a number of posts and tested a number of them. Due to Cisco deprecating the legacy tacacs-server host command

I have come up with a new config. However, when I add the line in red access via the console is cut-off.

This is on a 9200L switch running 16.12.4

aaa new-model

aaa group server tacacs+ TACACS_GROUP

server name TACACS_SERVER_1

ip tacacs source-interface Vlan3

aaa authentication login default group TACACS_GROUP local

aaa authentication login CON group tacacs+ line

aaa authentication enable default group TACACS_GROUP enable

aaa authorization console

aaa authorization exec default group TACACS_GROUP if-authenticated

aaa authorization commands 1 default group TACACS_GROUP local if-authenticated

aaa authorization commands 15 default group TACACS_GROUP local if authenticated

aaa accounting exec default start-stop group TACACS_GROUP

aaa accounting commands 1 default start-stop group TACACS_GROUP

aaa accounting commands 15 default start-stop group TACACS_GROUP

aaa accounting connection default start-stop group TACACS_GROUP

aaa session-id common

tacacs server TACACS_SERVER_1

address ipv4 x.x.x.x

key 7 ****************************

timeout 2

single-connection

line con 0

exec-timeout 15 0

password 7 **************************

authorization exec CON

transport output none

escape-character 3

stopbits 1

Re: Problems with AAA Authorization on console

balaji.bandi — Fri, 13 Nov 2020 13:32:56 GMT

When you say " console is cut-off. " is that mean you conjfiguring this config using Console ?

after you add that config, what username and password you using to Loging, first ACACS_GROUP if that fail Local

aaa authentication login CON group tacacs+ local

here is soem diag tips :

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html

Re: Problems with AAA Authorization on console

russell.sage — Fri, 13 Nov 2020 13:42:50 GMT

Yes I mean I am testing from the console port on the switch and when I add the authorization config in red any further commands fail authorization as the switch doesn't have connectivity to the TACACs server.

Historically we haven't used a username and password for console access just a password under the line con 0 configuration.

I have added a username and password and will try adding the local word to the CON profile

Re: Problems with AAA Authorization on console

balaji.bandi — Fri, 13 Nov 2020 14:14:26 GMT

Good you processing, let us know what was the outcome after changing.

Re: Problems with AAA Authorization on console

Aref Alsouqi — Sat, 14 Nov 2020 17:29:20 GMT

I think that is expected in your case as you seem to have applied the wrong authorization method list to the console line. Based on the configs you shared, you used the default method list for authorization exec, so you should use that method list on the console line. Also, I would add the if-authenticated keyword to the authorization exec line to allow the already authenticated users to interact with the device in case the TACACS server is not reachable.

line con 0

no authorization exec CON

authorization exec default

Re: Problems with AAA Authorization on console

russell.sage — Mon, 16 Nov 2020 07:48:55 GMT

Hi

I tried what you suggested but as soon as I added the aaa authorization console I am locked out

Re: Problems with AAA Authorization on console

Aref Alsouqi — Tue, 24 Nov 2020 18:04:43 GMT

Do you mean you could not issue any commands post applying those commands? if so, you would need to log out and log back into the device. Try that please and let us know if it works.