TACACS+ behavior on console versus vty

scott.pendleton · ‎03-27-2018

I have this strange behavior with TACACS+ on a 3850 switch. If I console into the switch I authenticate against the ISE server and see it in the TACACS live logs If I SSH into it it goes straight to local authentication without any attempt to contact TACACS on the ISE PSN. This is my AAA configuration

ISE is a TACACS server group, R-ISE is a RADIUS server group.

aaa authentication login VTY group ISE local
aaa authentication enable default group ISE enable
aaa authentication dot1x default group R-ISE
aaa authorization console
aaa authorization exec CON none
aaa authorization exec VTY group ISE local
aaa authorization network default group R-ISE
aaa authorization auth-proxy default group R-ISE

line con 0
exec-timeout 0 0
authorization exec CON
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
authorization exec VTY
login authentication VTY
transport input ssh

**Mark all helpful posts and solutions**

Mohammed al Baqari · ‎03-27-2018

Once you login check show users to make sure that you are landing on any of
vty 0 - 4

scott.pendleton · ‎03-28-2018

They are. Here is even more odd behavior. When I ssh in the login is using the local account, yet when I try to go into privileged exec, it is going to tacacs for authentication. To be clear my local account is a username that I do not use in ISE for tacacs and I don't see anything in the live logs for the login, but do see failed attempts for the local username when I type enable.

**Mark all helpful posts and solutions**

ajc · ‎03-28-2018

Try something like the following but changing radius by tacacs accordingly. In addition to that, version required should be 15.x (latest). Please provide us with your version, do a DEBUG AAA and post the debug results.

aaa new-model
!
aaa authentication login default local
aaa authentication login CONS local
aaa authentication login VTY_AUTHC group radius local
aaa authorization console
aaa authorization exec default none
aaa authorization exec CONS if-authenticated
aaa authorization exec VTY_AUTHC group radius local
aaa accounting exec default start-stop group radius
!

username cisco password cisco

!
line con 0
password 7 XXXXXXXXXXXXXX
authorization exec CONS
login authentication CONS
line vty 0 15
password 7 XXXXXXXXXXXXXX
authorization exec VTY_AUTHC
login authentication VTY_AUTHC
transport input all (use ssh or telnet or none, whatever you need)
transport output all (IF needed)
!

scott.pendleton · ‎03-29-2018

As stated before ISE and R-ISE are working groups that go to the appropriate PSNs. Anyways. I got permission to reboot the switch and everything works the way it was supposed to.

**Mark all helpful posts and solutions**

ajc · ‎03-28-2018

I suspect you are hitting by default the: "aaa authentication enable default group ISE enable", because of the version you are running. That could explain why you see entries in the tacacs live logs. the debug AAA would give us more clues.

SSH probably goes directly into your local account for authentication because there is something misconfigured on the RADIUS ISE authentication policies/enduser accounts or you are not pointing properly to the RADIUS ISE in the LAN Switch (not sure if you are using the same ISE for radius and tacacs).

aaa authentication login VTY group ISE local

You should have in the sw something like:

aaa group server radius R-ISE

server 10.10.10.10

server 10.10.10.10 auth-port 1645 acct-port 1646

AND

aaa group server tacacs+ ISE

server-private 20.20.20.20 single-connection key 7 cisco (server-private can be replaced by server)