Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
0
Helpful
5
Replies

Tacacs+ Authorization

DenyAnyAny
Level 1
Level 1

‎10-23-2012 05:27 AM - edited ‎03-10-2019 07:42 PM

Hi,

how to tell the Cisco Tacacs to only authorize users that have been authenticated by it and not by any other method? e.g. switchs are authenticating users locally and authorizing them against the tacacs server, how to prevent this?

Regards

Labels:
0 Helpful
5 Replies 5

jenny conlan
Level 1
Level 1

‎10-23-2012 01:15 PM

You can specify this by adding:

aaa authorization commands default group “ACS Server group name” local

That tells it to authorize by querying a specified ACS server group first; if no reply then it will use the local database

0 Helpful

mauzamor
Level 1
Level 1

‎10-23-2012 03:21 PM

Hi there Maik,

This can be accomplish using "named list", for example let's say that your VTY users will use the ACS for authentication and authorization but the users who access the Console port should use authentication only against local switch database with no authorization, so we do the following:

aaa new-model

tacacs-server X.X.X.X key cisco123

aaa authentication login myacs group tacacs+

aaa authentication login mylocal local

aaa authorization commands 15 mylocalautho group tacacs+

aaa authorization config-command

line console 0

login authentication mylocal

line vty 0 14

login authentication myacs

  authorization command 15 mylocalautho

You can play with this and use different combinations for this feature depending on your requirements, let me know if you have any question about it.

0 Helpful

DenyAnyAny
Level 1
Level 1
In response to mauzamor

‎10-24-2012 08:31 AM

Hi together,

so here my config:

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default local group tacacs+ local

aaa authorization commands 15 default local group tacacs+ local

I have some local users with no password but with rsa-key:

username user1 privilege 15 nopassword

ip ssh pubkey-chain

  username user1

   key-hash ssh-rsa 9C4B0195499D69FED5B01C8DC70CED19

  quit

user1 exists also on the ACS. When user1 tries to login, the switch authenticates it locally based on the ssh-rsa key, but authorizes it against the ACS. Strangely the ACS assumes that the user was authenticated by it. Is it possible to prevent this?

0 Helpful

mauzamor
Level 1
Level 1
In response to DenyAnyAny

‎10-24-2012 08:45 AM

According with your configuration "aaa authentication login default group tacacs+ line" you are saying that all the authentication types (ssh, telnet, console) are going to use the TACACS+ server for authentication as the primary authentication method, if the TACACS+ server is down the next method is the line password, no local. I don't see any AAA command pointing the authentication to the Local switch database.

So I don't think the switch is authenticating the user, seems like the authentication request is going to the ACS server, can you verify if after the user is authenticated you have a successful passed authentication in the ACS?

0 Helpful

DenyAnyAny
Level 1
Level 1
In response to mauzamor

‎10-25-2012 02:02 AM

I don't find any authentication entry but an authorization one!

0 Helpful
Customers Also Viewed These Support Documents