05-05-2016 05:53 AM - edited 03-10-2019 11:44 PM
I am now working with a cisco switch 3650, after enabling the aaa commands, the switch authenticate with the aaa server (ACS 5.8.0.32) properly,,
But also it can by pass the login username and password with any credentials (any username and password).
and can't enter to the enable mode with a "non authorize command" message.
The aaa commands are:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
line vty 0 15
login authentication default
Thank you in advance
05-05-2016 06:05 AM
The above configuration looks correct. The expected behavior is that when the user enters credentials, the ACS server would be use to authenticate them. If ACS sends back a reject, the user should not be allowed in. If ACS does not respond, or responds with an error, then the local users defined on the switch should be used.
Can you enable "debug aaa authentication" and "debug aaa authorization", reproduce the problem, and post the console output?
Also, how's ACS configured for the default action for TACACS+ authentications?
Javier Henderson
Cisco Systems
05-10-2016 04:57 AM
Thanks Javier,
the problem was from the TACACS+ authentication, it was "continue"
appreciate your support
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide