AAA Console - Prevent lockout

manishbhanushali · ‎11-14-2019

Hello Team,

I have a Cisco Nexus 5k switch. Currently I have AAA configuration as below :

aaa group server tacacs+ ACS_Server
aaa authentication login default group ACS_Server local
aaa authentication login console local
aaa authorization config-commands default group ACS_Server local
aaa authorization commands default group ACS_Server local
aaa accounting default group ACS_Server local

Now my aim is to be change the TACACS+ authentication from ACS to ISE.
To facilitate this, I will login via Console, modify the ACS_Server IP address to Cisco ISE IP address. Rest configuration will remain as it is.

Now my question is : Is there a possibility that I can get locked out using the Console login?

Jaderson Pessoa · ‎11-14-2019

No, if you change from ACS to ISE, console still available because will be use local authentication. Just VTY will be locked until you have rules and profile configured on ISE.

Regards,

Jaderson Pessoa
*** Rate All Helpful Responses ***

manishbhanushali · ‎11-14-2019

Thank you Jaderson for the prompt reply.
I agree that authentication will work fine, but can can there be authorization related issues for console login?
As far as I know, authorization for console login is disabled unless we explicitly mention it.
But I am not sure what affect below 2 commands will have :

aaa authorization config-commands default group ACS_Server local
aaa authorization commands default group ACS_Server local

Please advise. Thank you.

Jaderson Pessoa · ‎11-14-2019

Well, if you ISE do not have configured properly... local login / authorization will be used accoding your configuration.
in short words: you'll be able to connect an change anything if your ISE do not have necessary configuration.

Jaderson Pessoa
*** Rate All Helpful Responses ***

farhanalikhan80 · ‎11-15-2019

aaa new-model

aaa authentication login NO-Auth none

line con 0

login authentication NO-Auth