topic Re: AAA question in Network Security

AAA question

kelly.conley — Wed, 13 Jan 2021 22:40:28 GMT

Greetings,

I am the process of updating and standardizing our AAA configs. This is a current section:

aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec console none
aaa authorization commands 15 default group tacacs+ if-authenticated

My question is are "aaa authentication login console none" and "aaa authorization exec console none" doing anything? I remember being told years ago they are there for some obscure login scenario but I cant remember what it is. Taking them out doesn't seem to have any effect. Thoughts?

Re: AAA question

Mohammed al Baqari — Thu, 14 Jan 2021 08:05:09 GMT

Hi,

With your config, console access is blocked. Any user who tries to access
console and authenticate with fail. Some high security firms adopt that
model but the counter to this that you can't do console troubleshooting.

**** please remember to rate useful posts

Re: AAA question

kelly.conley — Thu, 14 Jan 2021 15:37:09 GMT

Thanks for the response. You would think that is the case but it is not.
Console access works with a local user as well as with tacacs.

Re: AAA question

Seb Rupik — Thu, 14 Jan 2021 15:45:21 GMT

Hi there,

The none keyword instructs the aaa AuthC process to not look at any user datastores. The credentials must be stored on the line. What does sh run | beg line con look like?

cheers,

Seb.

Re: AAA question

kelly.conley — Thu, 14 Jan 2021 15:58:09 GMT

line con 0
exec-timeout 30 0
logging synchronous

Re: AAA question

kelly.conley — Thu, 14 Jan 2021 16:14:18 GMT

It appears that because I have this line:

aaa authentication login default group tacacs+ local

Then this line:

aaa authentication login console none

That "login default" applies to the console and therefore "aaa authentication login console none" does nothing and console access is allowed if tacacs is not available.

Re: AAA question

Mohammed al Baqari — Thu, 14 Jan 2021 16:35:09 GMT

This is very strange. Based on your config, console access shouldn't work.

Open an ssh session, debug aaa authentication with term monitor, then login
to console and post the output. Let's see what happens.

***** please remember to rate useful posts

Re: AAA question

kelly.conley — Thu, 14 Jan 2021 17:45:24 GMT

So when the tacacs is available console login does not work.

Jan 14 17:39:51.965: AAA/AUTHEN/LOGIN (0000001B): Pick method list 'default'

So I assume that this:

aaa authentication login default group tacacs+ local

is being used. when tacacs is not available console access fails to local even if "aaa authentication login console none" is used.