cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

93
Views
0
Helpful
2
Replies
Highlighted
Beginner

aaa authentication

I am now working with a cisco switch 3650, after enabling the aaa commands, the switch authenticate with the aaa server (ACS 5.8.0.32) properly,, 

But also it can by pass the login username and password with any credentials (any username and password).

and can't enter to the enable mode with a "non authorize command" message.

The aaa commands are:

aaa new-model

aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

line vty 0 15

login authentication default

Thank you in advance

2 REPLIES 2
Highlighted
Enthusiast

The above configuration looks

The above configuration looks correct. The expected behavior is that when the user enters credentials, the ACS server would be use to authenticate them. If ACS sends back a reject, the user should not be allowed in. If ACS does not respond, or responds with an error, then the local users defined on the switch should be used.

Can you enable "debug aaa authentication" and "debug aaa authorization", reproduce the problem, and post the console output?

Also, how's ACS configured for the default action for TACACS+ authentications?

Javier Henderson

Cisco Systems

Highlighted
Beginner

Thanks Javier,

Thanks Javier,

the problem was from the TACACS+ authentication, it was "continue"

appreciate your support