10-23-2012 05:27 AM - edited 03-10-2019 07:42 PM
Hi,
how to tell the Cisco Tacacs to only authorize users that have been authenticated by it and not by any other method? e.g. switchs are authenticating users locally and authorizing them against the tacacs server, how to prevent this?
Regards
10-23-2012 01:15 PM
You can specify this by adding:
aaa authorization commands default group “ACS Server group name” local
That tells it to authorize by querying a specified ACS server group first; if no reply then it will use the local database
10-23-2012 03:21 PM
Hi there Maik,
This can be accomplish using "named list", for example let's say that your VTY users will use the ACS for authentication and authorization but the users who access the Console port should use authentication only against local switch database with no authorization, so we do the following:
aaa new-model
tacacs-server X.X.X.X key cisco123
aaa authentication login myacs group tacacs+
aaa authentication login mylocal local
aaa authorization commands 15 mylocalautho group tacacs+
aaa authorization config-command
line console 0
login authentication mylocal
line vty 0 14
login authentication myacs
authorization command 15 mylocalautho
You can play with this and use different combinations for this feature depending on your requirements, let me know if you have any question about it.
10-24-2012 08:31 AM
Hi together,
so here my config:
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default local group tacacs+ local
aaa authorization commands 15 default local group tacacs+ local
I have some local users with no password but with rsa-key:
username user1 privilege 15 nopassword
ip ssh pubkey-chain
username user1
key-hash ssh-rsa 9C4B0195499D69FED5B01C8DC70CED19
quit
user1 exists also on the ACS. When user1 tries to login, the switch authenticates it locally based on the ssh-rsa key, but authorizes it against the ACS. Strangely the ACS assumes that the user was authenticated by it. Is it possible to prevent this?
10-24-2012 08:45 AM
According with your configuration "aaa authentication login default group tacacs+ line" you are saying that all the authentication types (ssh, telnet, console) are going to use the TACACS+ server for authentication as the primary authentication method, if the TACACS+ server is down the next method is the line password, no local. I don't see any AAA command pointing the authentication to the Local switch database.
So I don't think the switch is authenticating the user, seems like the authentication request is going to the ACS server, can you verify if after the user is authenticated you have a successful passed authentication in the ACS?
10-25-2012 02:02 AM
I don't find any authentication entry but an authorization one!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide