Thanks Javier,

amrelquasaby · ‎05-05-2016

I am now working with a cisco switch 3650, after enabling the aaa commands, the switch authenticate with the aaa server (ACS 5.8.0.32) properly,,

But also it can by pass the login username and password with any credentials (any username and password).

and can't enter to the enable mode with a "non authorize command" message.

The aaa commands are:

aaa new-model

aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

line vty 0 15

login authentication default

Thank you in advance

Javier Henderson · ‎05-05-2016

The above configuration looks correct. The expected behavior is that when the user enters credentials, the ACS server would be use to authenticate them. If ACS sends back a reject, the user should not be allowed in. If ACS does not respond, or responds with an error, then the local users defined on the switch should be used.

Can you enable "debug aaa authentication" and "debug aaa authorization", reproduce the problem, and post the console output?

Also, how's ACS configured for the default action for TACACS+ authentications?

Javier Henderson

Cisco Systems

amrelquasaby · ‎05-10-2016

Thanks Javier,

the problem was from the TACACS+ authentication, it was "continue"

appreciate your support