Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
967
Views
0
Helpful
2
Replies

TACACS+ authentication and authorization on IOS-XE

Sergio_Garcia
Level 1
Level 1

‎07-17-2018 12:22 PM - edited ‎02-21-2020 11:01 AM

Hello guys,

I have the following configuration syntax on my IOS-XE (ASR1001) device:

!
...
!
aaa authentication login default group local AUTH1
aaa authentication enable default group AUTH1 none
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local AUTH1 group
aaa authorization commands 0 default group tacacs + group AUTH1 if-authenticated
aaa authorization commands 1 default group tacacs + group AUTH1 if-authenticated
aaa authorization commands 15 default group tacacs + group AUTH1 if-authenticated
aaa authorization network default none
aaa accounting exec default
 action-type start-stop
 group AUTH1
aaa accounting commands 0 default
 action-type start-stop
 group AUTH1
aaa accounting commands 1 default
 action-type start-stop
 group AUTH1
aaa accounting commands 15 default
 action-type start-stop
 group AUTH1
aaa accounting connection default
 action-type start-stop
 group AUTH1
aaa session-id common

what happens is that when I lose connectivity with the ACS server for some reason, or I lose Element Management, I was supposed to be able to login with a local user, but it does not happen, because I am deprived of entering the machine locally, even though I have configured local user on the equipment.

Does this syntax above AAA configuration have any parameters that might be causing such behavior?

Thanks for helping me on this issue sff

Below Equipment version:

Software: Cisco IOS XE Software, Version 03.13.03.S
Platform: cisco ASR1001 (1RU)


best regards
Sérgio Garcia

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎07-17-2018 01:51 PM

Start with simple config and build complex example always :

 

aaa authentication login default group tacacs+ local

above example : first tacacs if it not reachable then local

 

BB 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Sergio_Garcia
Level 1
Level 1
In response to balaji.bandi

‎07-18-2018 05:56 AM

Hi balaji

 

When I put the instruction below as suggested:


aaa authentication login default group tacacs + local,

 

you no longer have user access with both local user and domain user associated with ACS Server.

 

Example:

RT_IOS-XE(config)#aaa authentication login default group tacacs+ local

 

dominio\user_name@server_jumper:~> ssh -l sergio.garcia IP_ADDRESS_REMOTE_ACESS
Password: *****

Password:*****

try again, try again and nothing can not access the element

 

when I reset the previous configuration, I have success in remote access with my domain account:

 

RT_IOS-XE (config) #aaa authentication login default group local AUTH1
RT_IOS-XE (config) #

!

domain\user_name@server_jumper:~> ssh -l sergio.garcia IP_ADDRESS_REMOTE_ACESS
Password: *****

RT_IOS-XE #

 

What could be happening in the wrong syntax?

 

best regards

Sergio Garcia

0 Helpful
Customers Also Viewed These Support Documents