topic Re: how to test AAA device administration without getting locked out? in Network Access Control

how to test AAA device administration without getting locked out?

SMD28316 — Sun, 19 Dec 2021 10:59:57 GMT

I am playing with TACACS/RADIUS device administration, sometimes I configure the authentication / authorization as RADIUS / TACACS or a mix of both? how can I configure AAA to fall into the local method in case I had an issue with the misconfiguration? If I got locked out, I want to use the inernal user on the switch instead, is this possible?

Re: how to test AAA device administration without getting locked out?

Arne Bier — Sun, 19 Dec 2021 21:43:56 GMT

There are two approaches you can take

1) Add the "local" keyword to certain aaa commands which will be used if the aaa server (radius or tacacs) does not respond. If your aaa config is wrong or gets messed up, causing you to be locked out of the IOS, then simply disable the tacacs/radius option for that device in ISE, which will cause ISE to not respond to the device - then the local user in IOS will be used. That always works.

aaa authentication login default group aaa local
aaa authorization exec default group aaa local if-authenticated

2) Use IOS Method Lists in aaa and line statement. Method Lists allow you to define multiple versions of the same aaa command, and then apply specific versions of the command to the the vty and con lines. E.g. a method list called "MYTACACS" that uses a TACACS+ Group can be applied to vty 0 -4 - but for the console line you assign a different method list like "LOCALCONSOLE" where the aaa auth and author is using local users only.

aaa authentication login default group aaa local
aaa authentication login CONSOLE none
aaa authorization exec default group aaa local if-authenticated
aaa authorization exec CONSOLE none
!
!
line con 0
authorization exec CONSOLE
login authentication CONSOLE
line aux 0
line vty 0 4
exec-timeout 0 0
transport input all
transport output all

Re: how to test AAA device administration without getting locked out?

Greg Gibbs — Mon, 20 Dec 2021 01:59:10 GMT

Just an additional note on top of what @Arne Bier stated... most Cisco switches will only fallback to local auth if complete connectivity fails to the configured RADIUS/TACACS+ servers. If the switch can reach the ISE PSN and receive an ACCESS_REJECT (as would be the case of disabling RADIUS/TACACS settings for the NAD), the switch will treat this as an auth failure and not fall back to local auth. This can also cause big problems if you misconfigure command authorisation.

You would need a way to block TACACS+/RADIUS traffic between the switch and ISE PSNs to cause connectivity to fail and timeout for the switch to fallback to local authentication/authorisation.

Another common approach when configuring AAA remotely with no console access, and one I used many years ago during my CCIE Security lab exam, is the following:

Save the configuration
Issue the 'reload in <min>' command to schedule an automatic reload of the switch in case of lockout
Apply your AAA configuration and open a second separate SSH session to test it
If the configuration works as expected, issue the 'reload cancel' command to cancel the scheduled shutdown
Save the updated configuration

Re: how to test AAA device administration without getting locked out?

Arne Bier — Mon, 20 Dec 2021 02:18:11 GMT

@Greg Gibbs - I was proposing that to cut the connection between the NAS and ISE by unticking the RADIUS or TACACS tickbox in ISE (whichever is used for device admin). If that is done, then ISE will not respond to any requests from that NAS. And therefore the NAS will exhaust its server options and choose local.

I would not advocate disabling the client's RADIUS tickbox in ISE if RADIUS is used for endpoint processing (802.1X, VPN etc) - but it sounds like @SMD28316 is possibly using TACACS+ anyway - or perhaps it's in a lab. I don't know. But I do know that this trick always gets me an my customers out of trouble in case someone fat fingers the NAS config and quickly needs to revert to the local accounts.