Solved: Issues with line con 0 auth when entering aaa commands

Eager_2_Learn · ‎02-09-2024

Hi,

We are experiencing an authorization issue when entering a certain command in our global config on to fresh switches via the console cable.

Switch Model = 9300

Switch Ver = 17.9.4a

Although this seems to be happening on other switches and versions as well.

The below commands are accepted fine

!-- SERVICES --!
!
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service counters max age 10
!
logging buffered 100000
no logging console
no logging monitor
!
!
ip pim rp-address xx.xx.xx.xx
ip multicast-routing
!
!-- LOCAL LOGINS --!
!
no username Admin
no username admin
username user1 privilege 15 secret xxxx
username user2 privilege 15 secret xxxx
!
!
!-- ENABLE SECRET --!
!
enable secret xxxx
!
!-- AAA --!
!
aaa new-model
!
aaa group server tacacs+ TACSRV
server name ISE01
server name ISE02
ip tacacs source-interface Loopback0
!
!
ip radius source-interface Loopback0

aaa group server radius RADSRV
server name SER-ISE-02
server name SER-ISE-02
server name SEV-ISE-01
server name SEV-ISE-01
ip radius source-interface Loopback0
!
aaa authentication login default group TACSRV local
aaa authentication login console local
aaa authentication dot1x default group RADSRV
aaa authorization exec default group TACSRV local
aaa authorization commands 0 default group TACSRV local
aaa authorization commands 1 default group TACSRV local

This next command causes the issue:

aaa authorization commands 15 default group TACSRV local

At this point we get an authorization failed when we try anymore commands

We have tried adding some other commands to remediate this for example:

line con 0
privilege level 15

!

aaa authorization exec CON0 if-authenticated

aaa authorization console

!

Any guidance would be greatly appreciated, we are not sure why this is happening, this part of the config has been rolled out previously and never had this issue

The switch in this example is sitting on a desk with no network connectivity

Thanks!

Iain

Aref Alsouqi · ‎02-09-2024

You are welcome. Sure you can. Instead of using the "default" method list which applies automatically to the VTY lines and the console, you can use custom method lists similar to the following, please note that I'm gonna only focused in these examples on the minimum authentication and authorization commands required not on the additions nor the other global aaa commands:

aaa authentication login ISE group TACSRV local
aaa authorization exec ISE group TACSRV local
aaa accounting exec ISE start-stop group TACSRV
aaa authorization commands 0 ISE group TACSRV if-authenticated
aaa authorization commands 1 ISE group TACSRV if-authenticated
aaa authorization commands 15 ISE group TACSRV if-authenticated

line vty 0 98
login authentication ISE
authorization exec ISE

The above will allow you to use the custom method list ISE for the VTY accesses such as SSH. SSH sessions will also be authorized by the ISE method list.

aaa authentication login CON local
aaa authorization exec CON local

line con 0
login authentication CON
authorization exec CON
privilege level 15

The above should allow you to connect through console without being subject to any authentication nor authorization against ISE.

As I mentioned above, there are other commands that you can apply depending on how restrictive you want to be such as authorizing the config terminal commands and enable secret.

View solution in original post

balaji.bandi · ‎02-09-2024

Are you looking to Authenticate Console using TACACS and fall back to Local - or always Local ?

i use below standard config works for all Cisco switches :

aaa new-model

tacacs server ISE1
address ipv4 192.100.1.1
key Mykey
tacacs server ISE2
address ipv4 192.200.1.1
key MyKey

ip tacacs source-interface Loopback0

aaa group server tacacs+ ISE_GRP
server name ISE1
server name ISE2

aaa authentication login default group ISE_GRP local
aaa authorization config-commands
aaa authorization exec default group ISE_GRP local
aaa authorization commands 0 default group ISE_GRP local
aaa authorization commands 1 default group ISE_GRP local
aaa authorization commands 15 default group ISE_GRP local
aaa accounting exec default start-stop group ISE_GRP
aaa accounting commands 0 default start-stop group ISE_GRP
aaa accounting commands 1 default start-stop group ISE_GRP
aaa accounting commands 15 default start-stop group ISE_GRP

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎02-09-2024

You use local user to access and not config command allow for each privilege.

You can use with

Aaa authz command

Keyword if-auth instead of local to override this case

Note:- please dont wr the config until you sure the config is work' this give us retrun point if config not work (by reload)

MHM

Aref Alsouqi · ‎02-09-2024

@MHM Cisco World the "if-authenticated" keyword shouldn't be a replacement for the "local" keyword. "if-authenticated" is used to bypass the authorization requests in case ISE TACACS services are not available anymore after the user has authenticated to the switch. For instance, say you have authenticated to the switch, and right after ISE went down, so instead of denying all your authorization requests (because ISE is down) the switch will allow any command in that case. It is sort of a fall-back method.

MHM Cisco World · ‎02-09-2024

I mention if he use local user then he need to override authz command.

Local keyword dont work if he dont config command allow for each privilege

If-auth can override whole authz command if he auth by local if he auth by ISE then method order first check command with ISE.

MHM

Aref Alsouqi · ‎02-09-2024

Hi Iain, as @MHM Cisco World mentioned, you seem to be connected to the switch with a local user account. When you apply the "aaa authorization commands 15", the switch will then relay any authorization request to ISE, and because you are connected with a local user account, there wouldn't be any match on ISE TACACS rules to authorize your commands.

As a best practice, you should connect to the switch via console, amend all the TACACS commands to the VTY lines, and then test by logging into the switch via SSH with a user that exists on your AD or ISE local database, that depends on your configs on ISE TACACS policy set. Once you are happy with everything, you can save the configs to the switch and then as a final stage you amend the changes to the console line.

If you don't have console access to the switch at this stage, then once you applied the "aaa authorization commands 15" command, you should open up an SSH session to the switch with an AD or local ISE account which should allow you to continue your configs from there.

Eager_2_Learn · ‎02-09-2024

Hi Aref,

Thanks for your explanation, we did think that the auth 15 command was coming into play for the reason you mentioned, that the switch was trying to authorise our commands against ISE, but it has no connectivity.

Since we are configuring the switch via Console, is there a command we could enter that eliminates aaa commands from interfering with the console? Or if TACACS servers are unavailable, like in this scenario, can you configure fallback to the switch local database to ensure you can always enter commands via the console?

Because what we have noticed on some of our legacy switches we have to password recover on the console if the switch is off the network, I am guessing now due to some of our aaa config

Cheers

Iain

Aref Alsouqi · ‎02-09-2024