Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3241
Views
25
Helpful
3
Replies

how to test AAA device administration without getting locked out?

Go to solution
SMD28316
Level 1
Level 1

‎12-19-2021 02:59 AM - edited ‎12-19-2021 02:59 AM

I am playing with TACACS/RADIUS device administration, sometimes I configure the authentication / authorization as RADIUS / TACACS or a mix of both? how can I configure AAA to fall into the local method in case I had an issue with the misconfiguration? If I got locked out, I want to use the inernal user on the switch instead, is this possible?

1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎12-19-2021 01:43 PM

There are two approaches you can take

 

1) Add the "local" keyword to certain aaa commands which will be used if the aaa server (radius or tacacs) does not respond. If your aaa  config is wrong or gets messed up, causing you to be locked out of the IOS, then simply disable the tacacs/radius option for that device in ISE, which will cause ISE to not respond to the device - then the local user in IOS will be used. That always works.

aaa authentication login default group aaa local
aaa authorization exec default group aaa local if-authenticated

 

2) Use IOS Method Lists in aaa and line statement. Method Lists allow you to define multiple versions of the same aaa command, and then apply specific versions of the command to the the vty and con lines. E.g. a method list called "MYTACACS" that uses a TACACS+ Group can be applied to vty 0 -4 - but for the console line you assign a different method list like "LOCALCONSOLE" where the aaa auth and author is using local users only.

 

aaa authentication login default group aaa local
aaa authentication login CONSOLE none
aaa authorization exec default group aaa local if-authenticated
aaa authorization exec CONSOLE none
!
!
line con 0
authorization exec CONSOLE
login authentication CONSOLE
line aux 0
line vty 0 4
exec-timeout 0 0
transport input all
transport output all


 

 

View solution in original post

3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎12-19-2021 01:43 PM

There are two approaches you can take

 

1) Add the "local" keyword to certain aaa commands which will be used if the aaa server (radius or tacacs) does not respond. If your aaa  config is wrong or gets messed up, causing you to be locked out of the IOS, then simply disable the tacacs/radius option for that device in ISE, which will cause ISE to not respond to the device - then the local user in IOS will be used. That always works.

aaa authentication login default group aaa local
aaa authorization exec default group aaa local if-authenticated

 

2) Use IOS Method Lists in aaa and line statement. Method Lists allow you to define multiple versions of the same aaa command, and then apply specific versions of the command to the the vty and con lines. E.g. a method list called "MYTACACS" that uses a TACACS+ Group can be applied to vty 0 -4 - but for the console line you assign a different method list like "LOCALCONSOLE" where the aaa auth and author is using local users only.

 

aaa authentication login default group aaa local
aaa authentication login CONSOLE none
aaa authorization exec default group aaa local if-authenticated
aaa authorization exec CONSOLE none
!
!
line con 0
authorization exec CONSOLE
login authentication CONSOLE
line aux 0
line vty 0 4
exec-timeout 0 0
transport input all
transport output all


 

 

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎12-19-2021 05:59 PM

Just an additional note on top of what @Arne Bier stated... most Cisco switches will only fallback to local auth if complete connectivity fails to the configured RADIUS/TACACS+ servers. If the switch can reach the ISE PSN and receive an ACCESS_REJECT (as would be the case of disabling RADIUS/TACACS settings for the NAD), the switch will treat this as an auth failure and not fall back to local auth. This can also cause big problems if you misconfigure command authorisation.

You would need a way to block TACACS+/RADIUS traffic between the switch and ISE PSNs to cause connectivity to fail and timeout for the switch to fallback to local authentication/authorisation.

Another common approach when configuring AAA remotely with no console access, and one I used many years ago during my CCIE Security lab exam, is the following:

  1. Save the configuration
  2. Issue the 'reload in <min>' command to schedule an automatic reload of the switch in case of lockout
  3. Apply your AAA configuration and open a second separate SSH session to test it
  4. If the configuration works as expected, issue the 'reload cancel' command to cancel the scheduled shutdown
  5. Save the updated configuration

Go to solution
Arne Bier
VIP
VIP
In response to Greg Gibbs

‎12-19-2021 06:18 PM

@Greg Gibbs - I was proposing that to cut the connection between the NAS and ISE by unticking the RADIUS or TACACS tickbox in ISE (whichever is used for device admin). If that is done, then ISE will not respond to any requests from that NAS. And therefore the NAS will exhaust its server options and choose local.

I would not advocate disabling the client's RADIUS tickbox in ISE if RADIUS is used for endpoint processing (802.1X, VPN etc) - but it sounds like @SMD28316 is possibly using TACACS+ anyway - or perhaps it's in a lab. I don't know. But I do know that this trick always gets me an my customers out of trouble in case someone fat fingers the NAS config and quickly needs to revert to the local accounts.

Customers Also Viewed These Support Documents