12-19-2021 02:59 AM - edited 12-19-2021 02:59 AM
I am playing with TACACS/RADIUS device administration, sometimes I configure the authentication / authorization as RADIUS / TACACS or a mix of both? how can I configure AAA to fall into the local method in case I had an issue with the misconfiguration? If I got locked out, I want to use the inernal user on the switch instead, is this possible?
Solved! Go to Solution.
12-19-2021 01:43 PM
There are two approaches you can take
1) Add the "local" keyword to certain aaa commands which will be used if the aaa server (radius or tacacs) does not respond. If your aaa config is wrong or gets messed up, causing you to be locked out of the IOS, then simply disable the tacacs/radius option for that device in ISE, which will cause ISE to not respond to the device - then the local user in IOS will be used. That always works.
aaa authentication login default group aaa local aaa authorization exec default group aaa local if-authenticated
2) Use IOS Method Lists in aaa and line statement. Method Lists allow you to define multiple versions of the same aaa command, and then apply specific versions of the command to the the vty and con lines. E.g. a method list called "MYTACACS" that uses a TACACS+ Group can be applied to vty 0 -4 - but for the console line you assign a different method list like "LOCALCONSOLE" where the aaa auth and author is using local users only.
aaa authentication login default group aaa local aaa authentication login CONSOLE none aaa authorization exec default group aaa local if-authenticated aaa authorization exec CONSOLE none
!
!
line con 0
authorization exec CONSOLE
login authentication CONSOLE
line aux 0
line vty 0 4
exec-timeout 0 0
transport input all
transport output all
12-19-2021 01:43 PM
There are two approaches you can take
1) Add the "local" keyword to certain aaa commands which will be used if the aaa server (radius or tacacs) does not respond. If your aaa config is wrong or gets messed up, causing you to be locked out of the IOS, then simply disable the tacacs/radius option for that device in ISE, which will cause ISE to not respond to the device - then the local user in IOS will be used. That always works.
aaa authentication login default group aaa local aaa authorization exec default group aaa local if-authenticated
2) Use IOS Method Lists in aaa and line statement. Method Lists allow you to define multiple versions of the same aaa command, and then apply specific versions of the command to the the vty and con lines. E.g. a method list called "MYTACACS" that uses a TACACS+ Group can be applied to vty 0 -4 - but for the console line you assign a different method list like "LOCALCONSOLE" where the aaa auth and author is using local users only.
aaa authentication login default group aaa local aaa authentication login CONSOLE none aaa authorization exec default group aaa local if-authenticated aaa authorization exec CONSOLE none
!
!
line con 0
authorization exec CONSOLE
login authentication CONSOLE
line aux 0
line vty 0 4
exec-timeout 0 0
transport input all
transport output all
12-19-2021 05:59 PM
Just an additional note on top of what @Arne Bier stated... most Cisco switches will only fallback to local auth if complete connectivity fails to the configured RADIUS/TACACS+ servers. If the switch can reach the ISE PSN and receive an ACCESS_REJECT (as would be the case of disabling RADIUS/TACACS settings for the NAD), the switch will treat this as an auth failure and not fall back to local auth. This can also cause big problems if you misconfigure command authorisation.
You would need a way to block TACACS+/RADIUS traffic between the switch and ISE PSNs to cause connectivity to fail and timeout for the switch to fallback to local authentication/authorisation.
Another common approach when configuring AAA remotely with no console access, and one I used many years ago during my CCIE Security lab exam, is the following:
12-19-2021 06:18 PM
@Greg Gibbs - I was proposing that to cut the connection between the NAS and ISE by unticking the RADIUS or TACACS tickbox in ISE (whichever is used for device admin). If that is done, then ISE will not respond to any requests from that NAS. And therefore the NAS will exhaust its server options and choose local.
I would not advocate disabling the client's RADIUS tickbox in ISE if RADIUS is used for endpoint processing (802.1X, VPN etc) - but it sounds like @SMD28316 is possibly using TACACS+ anyway - or perhaps it's in a lab. I don't know. But I do know that this trick always gets me an my customers out of trouble in case someone fat fingers the NAS config and quickly needs to revert to the local accounts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide