Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4190
Views
5
Helpful
6
Replies

Problems with AAA Authorization on console

Go to solution
russell.sage
Level 3
Level 3

‎11-13-2020 04:24 AM

I have read a number of posts and tested a number of them. Due to Cisco deprecating the legacy tacacs-server host command

I have come up with a new config. However, when I add the line in red access via the console is cut-off. 

 

This is on a 9200L switch running 16.12.4

 

aaa new-model
!
!
aaa group server tacacs+ TACACS_GROUP
 server name TACACS_SERVER_1
 ip tacacs source-interface Vlan3
!
aaa authentication login default group TACACS_GROUP local
aaa authentication login CON group tacacs+ line
aaa authentication enable default group TACACS_GROUP enable
 
aaa authorization console
aaa authorization exec default group TACACS_GROUP if-authenticated

aaa authorization commands 1 default group TACACS_GROUP local if-authenticated 

aaa authorization commands 15 default group TACACS_GROUP local if authenticated 

aaa accounting exec default start-stop group TACACS_GROUP
aaa accounting commands 1 default start-stop group TACACS_GROUP
aaa accounting commands 15 default start-stop group TACACS_GROUP
aaa accounting connection default start-stop group TACACS_GROUP
 
aaa session-id common
!
!
tacacs server TACACS_SERVER_1
 address ipv4 x.x.x.x
 key 7 ****************************
 timeout 2
 single-connection
 
line con 0
 exec-timeout 15 0
 password 7 **************************
 authorization exec CON
 login authentication CON
 transport output none
 escape-character 3
 stopbits 1
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎11-14-2020 09:29 AM

I think that is expected in your case as you seem to have applied the wrong authorization method list to the console line. Based on the configs you shared, you used the default method list for authorization exec, so you should use that method list on the console line. Also, I would add the if-authenticated keyword to the authorization exec line to allow the already authenticated users to interact with the device in case the TACACS server is not reachable.

line con 0

 no authorization exec CON

 authorization exec default

 

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-13-2020 05:32 AM

When you say " console is cut-off. " is that mean you conjfiguring this config using Console ?

 

after you add that config, what username and password you using to Loging, first ACACS_GROUP if that fail Local

 

aaa authentication login CON group tacacs+ local

 

here is soem diag tips :

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
russell.sage
Level 3
Level 3
In response to balaji.bandi

‎11-13-2020 05:42 AM

Yes I mean I am testing from the console port on the switch and when I add the authorization config in red any further commands fail authorization as the switch doesn't have connectivity to the TACACs server.

 

Historically we haven't used a username and password for console access just a password under the line con 0 configuration.

I have added a username and password and will try adding the local word to the CON profile

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-13-2020 06:14 AM

Good you processing, let us know what was the outcome after changing.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎11-14-2020 09:29 AM

I think that is expected in your case as you seem to have applied the wrong authorization method list to the console line. Based on the configs you shared, you used the default method list for authorization exec, so you should use that method list on the console line. Also, I would add the if-authenticated keyword to the authorization exec line to allow the already authenticated users to interact with the device in case the TACACS server is not reachable.

line con 0

 no authorization exec CON

 authorization exec default

 

Go to solution
russell.sage
Level 3
Level 3
In response to Aref Alsouqi

‎11-15-2020 11:48 PM

Hi

I tried what you suggested but as soon as I added the aaa authorization console I am locked out
0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to russell.sage

‎11-24-2020 10:04 AM

Do you mean you could not issue any commands post applying those commands? if so, you would need to log out and log back into the device. Try that please and let us know if it works.

0 Helpful
Customers Also Viewed These Support Documents