topic Re: AAA authorization issue in Network Access Control

AAA authorization issue

Sanjoy4231 — Sat, 05 Feb 2022 13:56:19 GMT

Hello All, i have seen an issue where the client can login to switch but cannot go to exec level as he configured the AAA authorization command wrongly. They use separate AAA servers for AAA functions.

Apart from breaking the connection between the server and switch so that it can fall back to local user for authorization, is there any other way of getting out this situation?

The wrong commands which was entered after which AAA authorization was not working :
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

server group name was : scbtacacsgrp

The correct commands should be :

aaa authorization commands 1 default group scbtacacsgrp local
aaa authorization commands 15 default group scbtacacsgrp local

All i want to know is how can we change the config of the device without stopping the tacacs server connection between them.

Thanks.

Re: AAA authorization issue

balaji.bandi — Sat, 05 Feb 2022 14:30:02 GMT

There is 2 Option :

1. If the console is not AAA (we generally configure to LOCAL username as an emergency) - that method you can change it using Console.

2. As you mentioned, go to the radius server, change the Key or remove the key, so it falls back to Local, you make the changes again - add the back key to the radius server test it.

This i will not have any service impact.

Re: AAA authorization issue

Sanjoy4231 — Sat, 05 Feb 2022 15:05:19 GMT

Hello balaji.bandi,

1. Using the console cannot be done as this needed to be done remotely

2. Changing the key from server is just going to decline the user and it will not fall back to local as long as the reachability is fine as far as i know. So either i need to remove the client from the server or somehow stop the reachability. Please let me know if i am wrong.

Re: AAA authorization issue

balaji.bandi — Sat, 05 Feb 2022 15:59:45 GMT

2. Changing the key from server is just going to decline the user and it will not fall back to local as long as the reachability 
is fine as far as i know. 
So either i need to remove the client from the server or somehow  stop the reachability.  Please let me know if i am wrong.

if remove the key is, the radius not going to work, so it will fall back to Local for sure.

if you remove the IP and add it back to a radius also works, whatever works for you.

In either case, you can solve your problem, test, and let us know.

Re: AAA authorization issue

Mike.Cifelli — Sat, 05 Feb 2022 17:05:22 GMT

Food for thought: Worst case if you have an ASI window or can support a reload (if config gets hosed) you can schedule a reload in X. X being the time you want the device to reload to boot startup which will get you back to previous state before testing changes. Just make sure you dont copy run to start.