Local Username and Password

mrashby · ‎03-31-2005

I have AAA running on my router and I can authenticate/authorize using the ACS server. I wanted test my config so I turned off the ACS server and tried logging in using the local username and password, I authenticate fine but then I get %Authentication failed. And then the username prompt comes up. This concerns me because I have to have a back door into my routers in case the ACS server goes down for whatever reason.

paddyxdoyle · ‎03-31-2005

How are your AAA method lists configured?

For authentication do you have radius followed by local and for authorization do you have radius followed by if-needed?

Rgds

Paddy

mrashby · ‎04-01-2005

No I didn't use if-needed what does that actually do? I am using TACACS+ I have also posted my config please let me know what you think about the config. Thanks.

Richard Burts · ‎03-31-2005

I am a little puzzled about your description which says that you authenticate fine and then get an error message about authentication failed. I wonder if it is possible that the error message is actually saying authorization failed. I have seen this situation several times before where local authentication works but then there is an authorization failure.

If you have not solved your problem yet, it would be very helpful if you would post the appropriate parts of your config.

HTH

Rick

HTH

Rick

mrashby · ‎04-01-2005

I am sorry it does say AUTHORIZATION FAILED. I am also posting my config.

*****************************************************

Building configuration...

Current configuration : 1384 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname BIZNESS

!

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 5 default none

enable password xxx

!

username xxx password xxx

ip subnet-zero

!

call rsvp-sync

!

interface FastEthernet0/0

ip address 165.x.x.x 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

ip classless

no ip http server

!

menu ADMIN1 prompt ^CSELECT AN OPTION PUNK^C

menu ADMIN1 text 1 SHO IP INTERFACE BRIEF

menu ADMIN1 command 1 SHOW IP INTERFACE BRIEF

menu ADMIN1 text 2 SHOW INTERFACE FA0/0

menu ADMIN1 command 2 SHO INT FA0/0

menu ADMIN1 text 3 SHOW RUN INTERFACE FA0/0

menu ADMIN1 command 3 SHOW RUN INT FA0/0

menu ADMIN1 text 4 SHOW ARP

menu ADMIN1 command 4 SHOW ARP

menu ADMIN1 text 5 EXIT

menu ADMIN1 command 5 LOGOUT

tacacs-server host 165.110.30.15 key 7 00071A1507545A545C

tacacs-server directed-request

!

dial-peer cor custom

!

privilege exec level 5 show ip interface brief

privilege exec level 5 show interface fa0/0

privilege exec level 5 show show run interface fa0/0

privilege exec level 5 show show arp

!

line con 0

line aux 0

line vty 0 4

password xxx

!

end

Richard Burts · ‎04-01-2005

Mario

I think that Paddy was on the right track. The issue is with your configuration line:

aaa authorization exec default group tacacs+ local

which says for authorization to start an exec process go to tacacs and if that does not work look for some local means of authorization. I would suggest that you change it to:

aaa authorization exec default group tacacs+ if-authenticated

According to the command reference for aaa authorization the if-authenticated method allows the user to access the requested function if the user is authenticated. I would not want this to be my primary method, but it is what I usually see as the fall-back method.

I suggest that you change that line in the config and let us know how it works.

As for other comments about the config, under service timestamps I usually like to use datetime rather than uptime and find the results easier to interpret. It is especially useful to specify datetime if you have some method of maintaining time such as running ntp. But even if the time is not acurate I would rather see a log message or a debug message with a day and a time rather than a message that says been up for 2 days 1 hour.

I see that you have configured some menu items and also privilege levels but do not see how you plan to invoke them.

Otherwise it is a pretty simple and workable config.

HTH

Rick

HTH

Rick

mrashby · ‎04-01-2005

Okay I tried the command aaa authorization exec default group tacacs+ if-authenticated. When I use this command it lets me authenticate and authorize when I log on using the local username and password. The only problem is that now it seems not to activate my menu commands it just authenticates me to the routername> prompt. But when I use the command I had in there before I get my menu commands but it won't authorize when I use the local username and password. Is it possible to create another method list and apply it to the local username and password or are the method lists interface specific only? Please let me know your thoughts on this.

Richard Burts · ‎04-01-2005

Mario

I am assuming that there are some things in the way that you have defined the user in tacacs that assign the privilege level and execute the menu. I think we can get the functionality that you want in the local ID as well.

I do not believe that another method list will be helpful. But there are some alternatives available in configuring local username that should do what you want. You might try the online help to see them

(config t

username RTADMIN ? )

I think you should look especially at the autocommand which you can use to execute the menu, and possibly the privilege which can assign the desired privilege level.

HTH

Rick

HTH

Rick