AAA Configuration

Ganesh Devarshetty · ‎07-26-2023

I'm trying to configure aaa,but when i input the command for the same it takes a lot of time.Is there any technical reason why it is taking so much time?.

Please find the config below:-

aaa new-model
aaa authentication fail-message ^CCCCCCCCCLogin attempt failed^C
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication login AAA group ISE_GROUP local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization exec AAA group ISE_GROUP local
aaa authorization commands 0 AAA group ISE_GROUP local
aaa authorization commands 1 AAA group ISE_GROUP local
aaa authorization commands 15 default group tacacs+ local
aaa authorization commands 15 AAA group ISE_GROUP local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 AAA start-stop group ISE_GROUP
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 1 AAA start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting commands 15 AAA start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa common-criteria policy POLICY
min-length 8
max-length 25
numeric-count 1
upper-case 1
lower-case 1
special-case 1
char-changes 3
lifetime month 3
aaa session-id common
tacacs-server timeout 60
tacacs-server directed-request

aaa group server tacacs+ ISE_GROUP
server-private xx.xx.xx.xx key -----------
server-private yy.yy.yy.yy key ----------
ip vrf forwarding Mgmt-vrf

aaa session-id common
tacacs-server timeout 60
tacacs-server directed-request
tacacs-server key ------------

MHM Cisco World · ‎07-26-2023

you have high CPU utilization?

MHM Cisco World · ‎07-26-2023

Router# show tacacs

Router# show aaa servers private

share above after you check the CPU utilize

Rob Ingram · ‎07-26-2023

@Ganesh Devarshetty my initial thought is that once you've configured TACACS authorisation, the TACACS server is now going to be authorising each subsequent command, which would be slightly slower. Check the TACACS server logs to determine if that's the case and see if there is latency and or errors.

Flavio Miranda · ‎07-26-2023

Hi @Ganesh Devarshetty

You are using local and tacacs at the same time, thats why you see delay

Keep only this line for authentication and authorization

aaa authentication login AAA group ISE_GROUP local
aaa authorization exec AAA group ISE_GROUP local

Remove

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

Ganesh Devarshetty · ‎07-26-2023

I tried again after removing the two commands but still it is taking a lot of time.

Flavio Miranda · ‎07-26-2023

You have too much config over there. Remove all the aaa config and add only this

aaa new-model
aaa group server tacacs+ ISE_GROUP
aaa authentication login default group ISE_GROUP local
aaa authorization exec default group ISE_GROUP if-authenticated
aaa authorization commands 1 default group ISE_GROUP
aaa authorization commands 15 default group ISE_GROUP none
aaa accounting commands 15 default stop-only group ISE_GROUP
aaa session-id common

I took this from a working switch. Only this config is necessary

Arne Bier · ‎07-27-2023

One thing to remember is that IOS will always try the first TACACS server in your group. If that server does not respond, IOS will try a few times with a delay in-between. Then only it will try the second TACACS server. IOS does not remember that Primary TACACS server did not respond (like a hold-down timer) - therefore the experience will be bad until the Primary TACACS server is restored. RADIUS, on the other hand, uses a dead-timer to prevent this from happening.

MHM Cisco World · ‎07-27-2023

sorry @Arne Bier
@LeoMccoy in other post share if he can use local to access SW/R, and I answer Yes, but to be honest
I dont have TACACS server support command, so my Q which also help @LeoMccoy
if I access SW/R via local user but I use aaa auth enable without local and aaa authz exec without local dose this work ? i.e. he can enter config mode and add command ?
your answer is highly appreciated

Arne Bier · ‎07-27-2023

There are two "back doors" available in case the aaa authentication does not succeed (because aaa does not respond)

local IOS user accounts on the device - this requires the keyword "local" appended to the aaa authentication command
enable password on the device - this requires the keyword "enable" appended to the aaa authentication command (you won't be prompted for a username - it will be "Password:" only.

The best way to test this is to use method lists against a range of VTY lines, and to keep the console port out of any AAA config (as a back door).

When I last tested this, I recall that I was unable to log into the device if the "local" keyword was missing from the aaa authentication commands. It will then rely entirely on the radius/tacacs (whichever is used) to succeed. Unless local or enable is configured on the aaa as mentioned above

GNS3 is your friend

MHM Cisco World · ‎07-27-2023

@Arne Bier @LeoMccoy
I already mention to him the username and password mandatory
this topic from topic I so careful in suggestion.
and your answer is same as I thinking
config vty (using rotary group) that use local for auth and config command and exec under that VTY.
here if he access to this VTY he completely not depend on tacacs for authc and authz
hope I am right and he read these post.
last thing here we suggest something doing bad than good.
thanks a lot
have a nice summer for you and your family
MHM