topic Re: TACACS Authorization in Network Security

TACACS Authorization

proxymaster — Fri, 12 May 2023 14:58:10 GMT

Hi everyone,

I need to migrate an old Cisco Secure ACS to a new TACACSGUI.
Old ACS run on two servers (XX.XX.XX.XX and YY.YY.YY.YY), while the new server is ZZ.ZZ.ZZ.ZZ.

This was the previous configuration:

aaa group server tacacs+ TACACS-GROUP-SERVER
server XX.XX.XX.XX
server YY.YY.YY.YY

tacacs-server key 7 ENCRYPTED_KEY
tacacs-server host XX.XX.XX.XX
tacacs-server host YY.YY.YY.YY

aaa authentication login default group TACACS-GROUP-SERVER local
aaa authentication login console group TACACS-GROUP-SERVER local
aaa authorization exec default group TACACS-GROUP-SERVER local
aaa authorization commands all default group TACACS-GROUP-SERVER local

Then I made a rookie mistake.

I added the new server to the aaa group and removed the old ones, but I did not added the command line tacacs-server host ZZ.ZZ.ZZ.ZZ.

aaa group server tacacs+ TACACS-GROUP-NAME

server ZZ.ZZ.ZZ.ZZ

A moment later I lost connection and I'm locked out of the router.

Now, using local router accounts I'm able to get into EXEC mode, but I'm not authorized to do a configure terminal. It returns this error:
% Authorization denied for command 'configure terminal'.

I tried to change the "Shell Command Authorization Set" and other User Setup configurations on old ACS server, but it doesn't seem to make a difference.

I'm able to authenticate on old ACS server (even show logs on old ACS GUI) through the command test aaa group tacacs+ USERNAME PASSWORD.

Using old ACS/new TACASGUI registered accounts, I can't even login. None of the three servers register any log of authentication or authorization attempts.

Any suggestions on how to bypass TACACS to be able to configure terminal again?

Re: TACACS Authorization

Rob Ingram — Fri, 12 May 2023 15:05:41 GMT

@proxymaster you can reboot the router, the configuration will revert to the previously saved version without the new TACACS server.

Or perhaps you could define a null route to ZZ.ZZ.ZZ.ZZ on the upstream switch/router, so the router you cannot login to is unable to communicate with the new TACACS server and therefore you should be able to login using a local user account.

Re: TACACS Authorization

proxymaster — Fri, 12 May 2023 15:22:00 GMT

Hi Rob, thanks for the quick response!

I think that rebooting the device will be a last resort option for me.

So, if no TACACS server is available the local authentication/authorization is taken by default?

Re: TACACS Authorization

Rob Ingram — Fri, 12 May 2023 15:42:54 GMT

@proxymaster yes it should fail back to local authentication if TACACS is unavailable.