Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1170
Views
0
Helpful
4
Replies

AAA authorization issue

Sanjoy4231
Level 1
Level 1

‎02-05-2022 05:56 AM

Hello All, i have seen an issue where the client can login to switch but cannot go to exec level as he configured the AAA authorization command wrongly. They use separate AAA servers for AAA functions.

 

Apart from breaking the connection between the server and switch so that it can fall back to local user for authorization, is there any other way of getting out this situation?

 

The wrong commands which was entered after which AAA authorization was not working :
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

 

server group name was : scbtacacsgrp 

 

The correct commands should be :

aaa authorization commands 1 default group scbtacacsgrp local
aaa authorization commands 15 default group scbtacacsgrp local

 

All i want to know is how can we change the config of the device without stopping the tacacs server connection between them.

 

Thanks.

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎02-05-2022 06:30 AM

There is 2 Option :

 

1. If the console is not AAA (we generally configure to LOCAL username as an emergency) - that method you can change it using Console.

2. As you mentioned, go to the radius server, change the Key or remove the key, so it falls back to Local, you make the changes again - add the back key to the radius server test it.

 

This i will not have any service impact.

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Sanjoy4231
Level 1
Level 1
In response to balaji.bandi

‎02-05-2022 07:05 AM

Hello balaji.bandi,

 

1. Using the console cannot be done as this needed to be done remotely 

 

2. Changing the key from server is just going to decline the user and it will not fall back to local as long as the reachability is fine as far as i know. So either i need to remove the client from the server or somehow  stop the reachability.  Please let me know if i am wrong. 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Sanjoy4231

‎02-05-2022 07:59 AM 

2. Changing the key from server is just going to decline the user and it will not fall back to local as long as the reachability 
is fine as far as i know. 
So either i need to remove the client from the server or somehow  stop the reachability.  Please let me know if i am wrong.

if remove the key is, the radius not going to work, so it will fall back to Local for sure.

if you remove the IP and add it back to a radius also works, whatever works for you.

 

In either case, you can solve your problem, test, and let us know.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-05-2022 09:05 AM

Food for thought: Worst case if you have an ASI window or can support a reload (if config gets hosed) you can schedule a reload in X.  X being the time you want the device to reload to boot startup which will get you back to previous state before testing changes.  Just make sure you dont copy run to start.  

0 Helpful
Customers Also Viewed These Support Documents