12-16-2012 01:09 AM - edited 03-10-2019 07:53 PM
hi.
i have many types of cisco devices such as:
* catalyst's switches (2960, 3560, 2950,4500 chassis, etc... )
* Nexus 5548.
* Nexus 7000.
* Nexus 4K.
i have configure a tacas server and it works fine.
but i have many problems:
1. when i login with a tacacs user it logs me in without exec mode (enable mode).
2. i want to be able to login via console with a local username and password (even when the tacacs server is alive).
3. for now i have configured only the Catalyst's Switches. but i dont know the proper commands to the Nexus OS's (5k, 7k, i understand that the configuration between the nexus models is different..)...
i am testing all the environment with a "test switch" (Catalyst 2960) my current configuration is:
"
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
!
!
!
!
aaa session-id common
!
ip default-gateway 1.1.1.1
ip http server
ip http secure-server
tacacs-server host 1.1.1.2
tacacs-server key 7 1427171F09161A2E2A08
tacacs server TACACS-SRV
!
!
!
!
line con 0
line vty 0 4
transport input ssh
line vty 5 15
!
end
"
Any suggestions?
12-16-2012 06:28 AM
Hi Bendali,
Try below modifcations.
1. when i login with a tacacs user it logs me in without exec mode (enable mode).
I thought your existing configuration would have taken you to enable mode. Since it is not try reconfiguring the aaa as below to go tor enable mode
no aaa authentication login default group tacacs+ local
aaa authentication login TACACS group tacacs+ local
line vty 0 4
login authentication TACACS
2. I want to be able to login via console with a local username and password (even when the tacacs server is alive)
To use local console login modify configuration as below
username Cisco priv 15 password Cisco
line console 0
login local
3. for now i have configured only the Catalyst's Switches. but i dont know the proper commands to the Nexus OS's
A typical confogiration for Nexus 7k looks as below.
aaa group server tacacs+ AAA-Server
aaa authentication login default group AAA-Server
feature tacacs+
ip tacacs source-interface Vlan2
tacacs-server host [ip address] key 7 "TEST"
aaa group server tacacs+ TacServer
server [ip address]
use-vrf
aaa authentication login default group TacServer
tacacs-server directed-request
Hope this helps.
Regards
Najaf
Please rate when applicable or helpful !!!
12-16-2012 06:57 AM
1. i have change the TACACS group to TACACS-SRV and it works fine but still not in exec mode (enable mode)
2. i try to configure "login local" under "line con 0" but it shows:
AAA: Warning authentication list "local" is not defined for LOGIN.
i wanted him to use the "Cisco" user under login local but it didnt help..
what does it means?
3. in the config command: ip tacacs source-interface Vlan2.
what does it means?
12-16-2012 07:51 AM
Hi,
Which version of IOS you are running.
1) Try adding another line as below
aaa authentication login TACACS group tacacs+ local
no aaa authentication login default group tacacs+ local
aaa authentication login TACACS group tacacs+ local
line vty 0 4
login authentication TACACS
Hope you are configuring this in the same line order.
2) Try modifying config as below
aaa authentication login no_tacacs local
line con 0
login authentication no_tacacs
3) This command ensures the tacacs request is orginated from vlan 2 in this case. For your configuration you will have find the right interface and put in there instead of vlan 2. Please be aware that what ever interface ip address which you are using here should be added as aaa client on the ACS server.
Hope that helps.
Regards
Najaf
12-16-2012 07:59 AM
i am running IOS 15.0(2)SE
1. yes i am posting that in the same order.
when i try to add "no aaa authentication login default group tacacs+ local" it shows me:
Authentication method list update failed!!
2. when i try " login authentication no_tacacs"
it shows me:
AAA: Warning authentication list "no_tacas" is not defined for LOGIN.
3. thanks for the verification.
ben
12-16-2012 08:37 AM
Hi Ben,
I would request to wipe all aaa configuration (use no aaa new-model) and apply one by one in below order.
username Cisco priv 15 password Cisco
aaa new-model
aaa authentication login no_tacacs local
aaa authentication login TACACS group tacacs+ local
line con 0
login authentication no_tacacs
line vty 0 4
login authentication TACACS
Let me know how is goes.
Regards
Najaf
12-18-2012 05:27 AM
Hi Najaf.
sorry for the Deelay.i was OOO (out of office).
ok so i did what you posted and it works. i am able to login with local user thru CONSOLE and i am able to login thru SSH with a tacacs user..but i have some questions:
1. when i loggen in ith a local or a tacas user i'm still not in exec mode.
2. before i configure those commands when i login with a tacacs user the "enable" password was the tacacs user password. and right now the enable password is the "local enable secret".why?
3. i created in the tacacs server two user groups with a different permissions and when i am logged in with one of the both group users they have the same permissions (before this config i tested it and there was a difference between the users that are member of two different groups in the tacacs server...).
4. what happends to the accounting on the tacacs server? because in this config i dont have any configuration about "aaa accounting"?
Regards...
ben
12-24-2012 01:48 AM
Hi Ben,
I didnt notice your reply. Sorry for that.
For point 1 could you please provide full aaa configuration currently you are using.
For point 2 you could additional command which will enable you to use your tacacs password from ACS.
aaa authentication enable default tacacs+ enable
For point 3 im not sure why this is happening? What access permission you have restricted between users of both groups.
For point 4 you need to enable "aaa accouting"
Regards
Najaf
12-24-2012 04:54 AM
Hi Najaf.
1. I configured all what you recommended. But I will insert all my current configuration in the bottom of this post.
2. I configured the “aaa authentication enable default tacacs+ enable” and it works fine and use the user password to switch to “enable mode”. But when I login with the Cisco user via CONSOLE it doesn’t let me to use the local enable secret.it shows me “User does not belong to specified group”.
3. I have created 2 groups in the tacacs server:
The “cisco admin group” - have the highest level permissions and can execute every command.
The cisco RO group – can switch to “enable mode” and from “enable mode” to disable mode”. He also can run all the “show” commands but cant execute any other command such as “reload”, “dir”, “wr” etc…
I have tested it and it was working before I configure the last commande you recommended.
4. Thanks. I will configure the accounting according to the authentication methods.
My current config is:
Current configuration : 1989 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname tacacs_Switch
!
boot-start-marker
boot-end-marker
!
enable secret 4 lkdsjfklfjsdlkfjs4823748!@#$@#498fhsflkjfs
!
username admin privilege 15 password 7 XXXXXXXXXXXXXXXXX
username Cisco privilege 15 password 7 XXXXXXXXXXXXX
aaa new-model
!
!
aaa authentication login no_dce-mgmt00 local
aaa authentication login dce-mgmt00 group tacacs+ local
!
!
!
!
!
aaa session-id common
system mtu routing 1500
!
!
no ip domain-lookup
ip domain-name test.local
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh rsa keypair-name sshkeys
!
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
description upplink to HP switch
!
interface GigabitEthernet0/2
!
interface Vlan1
description tacacs ip switch ip
ip address 1.1.1.10 255.255.255.0
!
ip default-gateway 1.1.1.1
ip http server
ip http secure-server
tacacs server dce-mgmt00
address ipv4 1.1.1.2
key 7 0034161201493B030101
!
!
!
!
line con 0
login authentication no_dce-mgmt00
line vty 0 4
login authentication dce-mgmt00
transport input ssh
line vty 5 15
!
end
"
BR
Ben
12-24-2012 06:24 AM
Hi Ben,
For the console access you have to use the username and password associated with the username Cisco if you are trying to autheticate using that credentials. If you try to use the enable secret it will not work. You have configured the Cisco username as privellage level 15 and hence this will not ask you enable password when you try to login to console since this username already have level 15 privellage.
For point 3 could be brief which command are you refering here? "I have tested it and it was working before I configure the last commande you recommended"
Please try after removing this command and see if that works as expected.
Regards
Najaf
12-24-2012 06:43 AM
Hi.
Unfortunately when i login thru CONSOLE with the user "Cisco" it still logs mm in "disabled mode" and to switch to exec mode i must use the "enable password" even that i configured the Cisco user to privilege 15.
for point 3. i tested two users on the switch.
each user is a member of a different group.
user A1 is member of "cisco admin group" and user B2 is member of "cisco RO group".
before i configured the following commands you recommended I was not able to run the “reload” command with the user B2 (and that’s was good because these are one of the restrictions of the group).but after I configured these commands he can run the “reload” or any command that should be restricted to this users because he is a member of “cisco RO group” (in the tacacs server).
username Cisco priv 15 password Cisco
aaa new-model
aaa authentication login no_tacacs local
aaa authentication login TACACS group tacacs+ local
line con 0
login authentication no_tacacs
line vty 0 4
login authentication TACACS
only user that is a member of “cisco admin groups” should have the permissions to run any commands and not users from “cisco RO groups”.
Suggestions?
Regards
Ben
12-24-2012 06:56 PM
Hi Ben,
For point 1 which version of IOS you are running? This should work as expectedand not sure why this is not working for you. Also i'm not sure what you meant here by "it still logs mm in "disabled mode"".
For point 3 you could try setting authetrization with below commands.
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
Regards
Najaf
12-26-2012 06:06 AM
my switch version:
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C2960-24TT-L 15.0(2)SE C2960-LANBASEK9-M
for point 3 i tried to run the last commands but it didnt reach our goal..
Regards.
ben
03-20-2013 12:11 PM
On the tacacs server (if youre running in linux anyway) you need to set privilege 15 for the admin group or user you have configured. Here is a snippet of my configuration for example:
group = lv15 {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
Here you can see that it specifically sets ANY USER WHO MATCHES THIS GROUP to privilege level 15. This ties into an LDAP backend where users are added to the group that they need to be in.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide