Re: AAA

fmugambi · ‎01-16-2024

Hello Team,

I have these configs,

aaa authentication login default group "aaa_server" local
aaa authentication enable default group "aaa_server" enable
aaa authorization exec default group "aaa_server" if-authenticated
aaa accounting exec default start-stop group "aaa_server"
aaa accounting commands 1 default start-stop group "aaa_server"
aaa accounting commands 15 default start-stop group "aaa_server".

Once i shutdown aaa_server to simulate it being unreachable, am not able to login to device using local database.

Kindly assist.

balaji.bandi · ‎01-17-2024

what device model and IOS code running on the devices ?

Make sure you have local user created with privlevel 15.

Make sure you also setup a TACACS timeout to less like 3-5 seonds - default is 60 ( i am sure you have waited long and tried ?)

what is the logs you see on the devices ?

I have this config works all over my Lab devices - using ACS

aaa new-model
!
tacacs server SERVER1
address ipv4 10.10.10.100
key 0 xxxxxxxxxxxxxxxxx
tacacs server SERVER2
address ipv4 20.20.20.200
key 0 XXXXXXXXXXX
aaa group server tacacs+ SERVER_GROUP
server name SERVER1
server name SERVER2
aaa authentication login default group SERVER_GROUP local
aaa authentication enable default group SERVER_GROUP enable
aaa authorization config-commands
aaa authorization exec default group SERVER_GROUP local if-authenticated
aaa authorization commands 1 default group SERVER_GROUP if-authenticated
aaa authorization commands 15 default group SERVER_GROUP local if-authenticated
aaa accounting exec default start-stop group SERVER_GROUP
aaa accounting commands 1 default start-stop group SERVER_GROUP
aaa accounting commands 15 default start-stop group SERVER_GROUP

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

fmugambi · ‎01-17-2024

when i compare our configs,below is the only line i dont have,

aaa authorization exec default group SERVER_GROUP local if-authenticated

is this what i should add, for the device to opt to use local db incase aaa server is unreachable ?

fmugambi · ‎01-18-2024

any update?

balaji.bandi · ‎01-19-2024

YES / NO depends on other part of the config you have timeout settings - Local config you have in place - mostly that should work

But i have asked environment "what device model and IOS code running on the devices ?"

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎01-17-2024

Your config is OK

Can i see

Show user

It maybe you dont have available vty line anymore that why the device reject the new user

MHM

fmugambi · ‎01-17-2024

PFA

MHM Cisco World · ‎01-17-2024

Access via console

Clear line vty all

Then try again

MHM

fmugambi · ‎01-17-2024

funny enough console is also dependent on AAA server. if its offline, console does not work.

should i bring AAA online first, then connect via console and issue the commands?

MHM Cisco World · ‎01-17-2024

No friend dont try that'

Let me check all command again

Thanks for waiting

MHM

MHM Cisco World · ‎01-17-2024

Can I see config of vty and console

Thanks

MHM

fmugambi · ‎01-17-2024

MHM Cisco World · ‎01-19-2024

Hi friend
this lab show the cases we see when we use exec
the issue is exec local and if-auth depend on priv you use with username command and enable password
so to solve your issue
add new

username xx priv 15 password xxx
enable password xxx

and try access via vty when the AAA not reachable

fmugambi · ‎01-19-2024

should the enable password match , new user password "xxx" ?

MHM Cisco World · ‎01-19-2024

No friend

I write xxx which meaning you can use anything for password and username' not meaning it must be match.

Thanks

MHM