07-27-2006 11:22 AM - edited 03-10-2019 02:40 PM
What do I need to modify or add to the following so the locally defined userid gui_id can succeed when logging into this router at all times even if communication with the TACACS+ server is up. (gui_id does not exist in the TACACS+ server). Order of authentication for other defined user ids and the default group should stay the same. Also, if possible, can the user gui_id be automatically enabled when authenticated and how:
enable secret router_enable
username nst_id privilege 15 password nst_password
username gui_id privilege 15 password gui_password
username solv_id privilege 1 password solv_password
aaa new-model
aaa authentication username-prompt "Local Username: "
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization console
aaa accounting exec default start-stop tacacs+
aaa accounting commands 0 default stop-only tacacs+
aaa accounting commands 1 default stop-only tacacs+
aaa accounting commands 15 default stop-only tacacs+
tacacs-server host xxx.xxx.xxx.xxx
tacacs-server key *******
07-28-2006 09:04 AM
Unfortunately, it doesn't quite work that way. When a method list is used (in your case, the default method list), then it will user the first method in that list. For your config, the attempt will authenticate against the TACACS+ server. If the TACACS+ server is responsive and actually responds with a reject message, the authentication will not fall back to local and fail the user. This is intended behavior. Only when the TACACS+ server is unresponsive or not sending back valid responses will authentication ever fall back to local.
If the local database was being used due to fallback and you wanted to automatically be placed in enable mode, you need to add "local" to your authorization exec so that shell exec privilege is passed:
aaa authorization exec default group tacacs+ local if-authenticated
Is there a specific need to have your local user gui_id to be able to authenticate at all times? For best practices, your users should all authenticate to tacacs. Only if tacacs goes down should you need to use the local database as a backdoor in this failure scenario.
Sincerely,
Annie
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide