Struggling with aaa Authentication using TACACS+

jeggleston · ‎08-01-2018

Greetings,

I am struggling to configure aaa authentication on my cisco switches. Currently all of my devices are using a Corporate based Cisco ISE server to do TACACS+. We are being spun out as a standalone company and I have to bring up our own TACACS+ server. To that end, I have purchased an application called ClearBox TACACS+

I have the TACACS+ server setup to do a Windows AD Global Group lookup. So far so good.

This is the aaa setup on the switch:

enable secret 5 [Secret 5 Hash Here]
username admin privilege 15 password 7 [Secret 7 hash here]
aaa new-model
aaa group server tacacs+ WPLG_TACACS
server name WPLG_TAC
ip tacacs source-interface Vlan10
aaa authentication login default group WPLG_TACACS local
aaa authentication login no_tacacs local
aaa authentication enable default group WPLG_TACACS enable
aaa accounting update newinfo
aaa accounting exec default stop-only group WPLG_TACACS
aaa accounting commands 0 default stop-only group WPLG_TACACS
aaa accounting commands 1 default stop-only group WPLG_TACACS
aaa accounting commands 7 default start-stop group WPLG_TACACS
aaa accounting commands 15 default stop-only group WPLG_TACACS
aaa session-id common

tacacs server WPLG_TAC
address ipv4 xxx.xxx.xxx.xxx
key 7 [Secret 7 hash here]

line con 0
exec-timeout 60 0
privilege level 15
login authentication no_tacacs
stopbits 1
line vty 0
exec-timeout 60 0
transport input ssh
line vty 1 4
exec-timeout 60 0
length 0
transport input ssh
line vty 5 15
exec-timeout 60 0

AAA

transport input ssh

Here is my Authentication problem: With the line "aaa authentication enable default group WPLG_TACACS enable" in the config, I can log in with my Domain user name and password when using putty SSH. This works as expected.

From a new console session I get prompted for a username/password, and I can login as admin with the local admin password. That brings me right to the # prompt, enable mode. Now, if I use the disable command to go back to the > prompt and then try to use the enable command again, the enable password will always fail. The admin password will also fail. I have to logout and start the console session again.

If I remove this line; "aaa authentication enable default group WPLG_TACACS enable", I can log in using putty SSH, authenticate against my Windows AD Group and when using a console login I get prompted for the local admin username and password, I get to the enable prompt #. I can use the disable command to get back to the > prompt and then when I use the enable command, the local enable password will work.

Is the normal behavior of do I have something reconfigured?

Thanks!

jeggleston · ‎08-01-2018

Sorry, the line:
Is the normal behavior of do I have something reconfigured?
Should have been:
Is this behavior normal or do I have something mis-configured?

mbilgrav · ‎08-02-2018

you have these lines:
aaa authentication login no_tacacs local
aaa authentication enable default group WPLG_TACACS enable

So whenever you issue enable it will talk to WPLG_TACACS (if available), if not then use local enable.

So if you want you can try and make your T+ server unavailable to the NAD, if it will likely work for you.
or try add "none" to:
aaa authentication login no_tacacs local none

btw what switch/router and IOS version ?

mbilgrav · ‎08-02-2018

bonus free tips: dont use ADMIN user, its prone to bruteforce dictionary attacks ! and change password to secret to avoid reverse hashing option of you password.

username admin privilege 15 password 7 [Secret 7 hash here] - should be changed to :
username somefreakysuperadminusernamenotpronetodictionaryattacks privilege 15 secret [Secretpass here]

and on your T+ server, create a user called admin and disable it !

happy AAA'ing !