03-01-2018 01:56 PM
Below is my current tacacs configuration. I am trying to configure my ASR which is running Cisco IOS XR ver 5.3.3. I am trying to configure my device for when the tacacs server is unavailable I can still log in and make configurations. When I input the configuration I receive an error and I am not sure why.
Tacacs Config:
aaa accounting exec default start-stop group tacacs+
aaa accounting commands default stop-only group tacacs+
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 group tacacs+
aaa authorization commands 1 group tacacs+
aaa authorization commands 15 group tacacs+
aaa authorization commands default group tacacs+
aaa authorization eventmanager default local
aaa authorization eventmanager tcluser local
aaa authentication login default group tacacs+ local
Error:
#aaa authorization commands default group tacacs+ local
^
% Invalid input detected at '^' marker.
Solved! Go to Solution.
03-01-2018 06:33 PM
Hi Justin,
I believe the syntax on ASR have to be
" aaa authorization commands 15 default group tacacs+ local " or
" aaa authorization commands 0 default group tacacs+ local "
Got to put enable level.
Regards,
Sai
03-01-2018 04:41 PM
If you've already validated that no syntax issue, then please consult with the support team for the ASR or Cisco IOS XR. It might be a bug in that platform.
03-01-2018 06:33 PM
Hi Justin,
I believe the syntax on ASR have to be
" aaa authorization commands 15 default group tacacs+ local " or
" aaa authorization commands 0 default group tacacs+ local "
Got to put enable level.
Regards,
Sai
03-01-2018 08:24 PM
Sai is correct. On Cisco IOS or the like, the commands are associated with run levels. If you have customized commands to some specific levels, then just follow the same syntax to add the additional run levels.
03-02-2018 07:27 AM
I have validated the syntax issue. And I have tried adding the local group to the enable levels I still get an error. Below is the output from the syntax validation:
aaa authorization commands default group tacacs+ group local
(config)#commit
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors
(config)#show configuration failed
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
aaa authorization commands default group tacacs+ group local
!!% An invalid method was specified in the message or required configuration is missing: %AAA-3-ILLEGALNAME: Illegal authorization server-group name "local" rejected
end
03-02-2018 09:15 AM
If it working without "local", then it seems in that particular IOS-XR release and ASR platform combination does not support local for "default". I do not think you need that anyway if all the run-levels are explicitly specified.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide