02-09-2024 04:11 AM - edited 02-09-2024 04:14 AM
Hi,
We are experiencing an authorization issue when entering a certain command in our global config on to fresh switches via the console cable.
Switch Model = 9300
Switch Ver = 17.9.4a
Although this seems to be happening on other switches and versions as well.
The below commands are accepted fine
!-- SERVICES --!
!
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service counters max age 10
!
logging buffered 100000
no logging console
no logging monitor
!
!
ip pim rp-address xx.xx.xx.xx
ip multicast-routing
!
!-- LOCAL LOGINS --!
!
no username Admin
no username admin
username user1 privilege 15 secret xxxx
username user2 privilege 15 secret xxxx
!
!
!-- ENABLE SECRET --!
!
enable secret xxxx
!
!-- AAA --!
!
aaa new-model
!
aaa group server tacacs+ TACSRV
server name ISE01
server name ISE02
ip tacacs source-interface Loopback0
!
!
ip radius source-interface Loopback0
aaa group server radius RADSRV
server name SER-ISE-02
server name SER-ISE-02
server name SEV-ISE-01
server name SEV-ISE-01
ip radius source-interface Loopback0
!
aaa authentication login default group TACSRV local
aaa authentication login console local
aaa authentication dot1x default group RADSRV
aaa authorization exec default group TACSRV local
aaa authorization commands 0 default group TACSRV local
aaa authorization commands 1 default group TACSRV local
This next command causes the issue:
aaa authorization commands 15 default group TACSRV local
At this point we get an authorization failed when we try anymore commands
We have tried adding some other commands to remediate this for example:
line con 0
privilege level 15
!
aaa authorization exec CON0 if-authenticated
aaa authorization console
!
Any guidance would be greatly appreciated, we are not sure why this is happening, this part of the config has been rolled out previously and never had this issue
The switch in this example is sitting on a desk with no network connectivity
Thanks!
Iain
Solved! Go to Solution.
02-09-2024 05:54 AM - edited 02-09-2024 05:58 AM
You are welcome. Sure you can. Instead of using the "default" method list which applies automatically to the VTY lines and the console, you can use custom method lists similar to the following, please note that I'm gonna only focused in these examples on the minimum authentication and authorization commands required not on the additions nor the other global aaa commands:
aaa authentication login ISE group TACSRV local
aaa authorization exec ISE group TACSRV local
aaa accounting exec ISE start-stop group TACSRV
aaa authorization commands 0 ISE group TACSRV if-authenticated
aaa authorization commands 1 ISE group TACSRV if-authenticated
aaa authorization commands 15 ISE group TACSRV if-authenticated
line vty 0 98
login authentication ISE
authorization exec ISE
The above will allow you to use the custom method list ISE for the VTY accesses such as SSH. SSH sessions will also be authorized by the ISE method list.
aaa authentication login CON local
aaa authorization exec CON local
line con 0
login authentication CON
authorization exec CON
privilege level 15
The above should allow you to connect through console without being subject to any authentication nor authorization against ISE.
As I mentioned above, there are other commands that you can apply depending on how restrictive you want to be such as authorizing the config terminal commands and enable secret.
02-09-2024 05:07 AM
Are you looking to Authenticate Console using TACACS and fall back to Local - or always Local ?
i use below standard config works for all Cisco switches :
aaa new-model
tacacs server ISE1
address ipv4 192.100.1.1
key Mykey
tacacs server ISE2
address ipv4 192.200.1.1
key MyKey
ip tacacs source-interface Loopback0
aaa group server tacacs+ ISE_GRP
server name ISE1
server name ISE2
aaa authentication login default group ISE_GRP local
aaa authorization config-commands
aaa authorization exec default group ISE_GRP local
aaa authorization commands 0 default group ISE_GRP local
aaa authorization commands 1 default group ISE_GRP local
aaa authorization commands 15 default group ISE_GRP local
aaa accounting exec default start-stop group ISE_GRP
aaa accounting commands 0 default start-stop group ISE_GRP
aaa accounting commands 1 default start-stop group ISE_GRP
aaa accounting commands 15 default start-stop group ISE_GRP
02-09-2024 05:08 AM
You use local user to access and not config command allow for each privilege.
You can use with
Aaa authz command
Keyword if-auth instead of local to override this case
Note:- please dont wr the config until you sure the config is work' this give us retrun point if config not work (by reload)
MHM
02-09-2024 05:27 AM
@MHM Cisco World the "if-authenticated" keyword shouldn't be a replacement for the "local" keyword. "if-authenticated" is used to bypass the authorization requests in case ISE TACACS services are not available anymore after the user has authenticated to the switch. For instance, say you have authenticated to the switch, and right after ISE went down, so instead of denying all your authorization requests (because ISE is down) the switch will allow any command in that case. It is sort of a fall-back method.
02-09-2024 05:37 AM
I mention if he use local user then he need to override authz command.
Local keyword dont work if he dont config command allow for each privilege
If-auth can override whole authz command if he auth by local if he auth by ISE then method order first check command with ISE.
MHM
02-09-2024 05:24 AM
Hi Iain, as @MHM Cisco World mentioned, you seem to be connected to the switch with a local user account. When you apply the "aaa authorization commands 15", the switch will then relay any authorization request to ISE, and because you are connected with a local user account, there wouldn't be any match on ISE TACACS rules to authorize your commands.
As a best practice, you should connect to the switch via console, amend all the TACACS commands to the VTY lines, and then test by logging into the switch via SSH with a user that exists on your AD or ISE local database, that depends on your configs on ISE TACACS policy set. Once you are happy with everything, you can save the configs to the switch and then as a final stage you amend the changes to the console line.
If you don't have console access to the switch at this stage, then once you applied the "aaa authorization commands 15" command, you should open up an SSH session to the switch with an AD or local ISE account which should allow you to continue your configs from there.
02-09-2024 05:36 AM
Hi Aref,
Thanks for your explanation, we did think that the auth 15 command was coming into play for the reason you mentioned, that the switch was trying to authorise our commands against ISE, but it has no connectivity.
Since we are configuring the switch via Console, is there a command we could enter that eliminates aaa commands from interfering with the console? Or if TACACS servers are unavailable, like in this scenario, can you configure fallback to the switch local database to ensure you can always enter commands via the console?
Because what we have noticed on some of our legacy switches we have to password recover on the console if the switch is off the network, I am guessing now due to some of our aaa config
Cheers
Iain
02-09-2024 05:54 AM - edited 02-09-2024 05:58 AM
You are welcome. Sure you can. Instead of using the "default" method list which applies automatically to the VTY lines and the console, you can use custom method lists similar to the following, please note that I'm gonna only focused in these examples on the minimum authentication and authorization commands required not on the additions nor the other global aaa commands:
aaa authentication login ISE group TACSRV local
aaa authorization exec ISE group TACSRV local
aaa accounting exec ISE start-stop group TACSRV
aaa authorization commands 0 ISE group TACSRV if-authenticated
aaa authorization commands 1 ISE group TACSRV if-authenticated
aaa authorization commands 15 ISE group TACSRV if-authenticated
line vty 0 98
login authentication ISE
authorization exec ISE
The above will allow you to use the custom method list ISE for the VTY accesses such as SSH. SSH sessions will also be authorized by the ISE method list.
aaa authentication login CON local
aaa authorization exec CON local
line con 0
login authentication CON
authorization exec CON
privilege level 15
The above should allow you to connect through console without being subject to any authentication nor authorization against ISE.
As I mentioned above, there are other commands that you can apply depending on how restrictive you want to be such as authorizing the config terminal commands and enable secret.
02-09-2024 05:57 AM
So in end you suggest if-auth as Me.
MHM
02-09-2024 06:06 AM
Yes indeed my friend, I aways use "if-authenticated" (unless the customer requests otherwise) because that would bypass any authorization requests if the TACACS server should go down after the users are authenticated. It is a protection mechanism I would say, so instead of blocking all the authorization requests until the TACACS server is back, the already connected admins to the network devices can keep doing their works until the TACACS server is back online or their sessions are timed out.
02-09-2024 07:06 AM - edited 02-10-2024 06:37 AM
Thank you, I have managed to put together some config from your instructions:
aaa authentication login ISE group TACSRV local
aaa authentication login CON local
aaa authentication dot1x default group RADSRV
aaa authorization exec ISE group TACSRV local
aaa authorization exec CON local
aaa authorization commands 0 ISE group TACSRV local if-authenticated
aaa authorization commands 1 ISE group TACSRV local if-authenticated
aaa authorization commands 15 ISE group TACSRV local if-authenticated
aaa authorization network default group RADSRV
aaa authorization network SGLIST group radius
aaa authorization auth-proxy default group RADSRV
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group RADSRV
aaa accounting exec ISE start-stop group tacacs+
aaa accounting commands 0 ISE start-stop group TACSRV
aaa accounting commands 1 ISE start-stop group TACSRV
aaa accounting commands 15 ISE start-stop group TACSRV
aaa accounting system default start-stop group RADSRV
line con 0
session-timeout 15
exec-timeout 15 0
logging synchronous
history size 256
login authentication CON
authorization exec CON
privilege level 15
line vty 0 15
session-timeout 15
exec-timeout 15 0
logging synchronous
access-class vty-access in
login authentication ISE
authorization exec ISE
Which has fixed our issue with console
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide