02-05-2022 05:56 AM
Hello All, i have seen an issue where the client can login to switch but cannot go to exec level as he configured the AAA authorization command wrongly. They use separate AAA servers for AAA functions.
Apart from breaking the connection between the server and switch so that it can fall back to local user for authorization, is there any other way of getting out this situation?
The wrong commands which was entered after which AAA authorization was not working :
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
server group name was : scbtacacsgrp
The correct commands should be :
aaa authorization commands 1 default group scbtacacsgrp local
aaa authorization commands 15 default group scbtacacsgrp local
All i want to know is how can we change the config of the device without stopping the tacacs server connection between them.
Thanks.
02-05-2022 06:30 AM
There is 2 Option :
1. If the console is not AAA (we generally configure to LOCAL username as an emergency) - that method you can change it using Console.
2. As you mentioned, go to the radius server, change the Key or remove the key, so it falls back to Local, you make the changes again - add the back key to the radius server test it.
This i will not have any service impact.
02-05-2022 07:05 AM
Hello balaji.bandi,
1. Using the console cannot be done as this needed to be done remotely
2. Changing the key from server is just going to decline the user and it will not fall back to local as long as the reachability is fine as far as i know. So either i need to remove the client from the server or somehow stop the reachability. Please let me know if i am wrong.
02-05-2022 07:59 AM
2. Changing the key from server is just going to decline the user and it will not fall back to local as long as the reachability
is fine as far as i know.
So either i need to remove the client from the server or somehow stop the reachability. Please let me know if i am wrong.
if remove the key is, the radius not going to work, so it will fall back to Local for sure.
if you remove the IP and add it back to a radius also works, whatever works for you.
In either case, you can solve your problem, test, and let us know.
02-05-2022 09:05 AM
Food for thought: Worst case if you have an ASI window or can support a reload (if config gets hosed) you can schedule a reload in X. X being the time you want the device to reload to boot startup which will get you back to previous state before testing changes. Just make sure you dont copy run to start.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide