07-22-2021 01:15 PM
Hi All,
Have run into a couple issues with a client who we are doing some remote switch refreshes with. I build the config on a terminal server and then they pop it into the rack. Both times we've had issues with local user access. For whatever reason, we've had AAA issues where TACACS creds weren't working, so we tried to fall back to the local user and those passwords weren't being accepted either, through both console and SSH
Here's the AAA config
aaa authentication login default group tacacs+ local
aaa authentication login console local-case line
aaa authentication enable default group tacacs+ enable
aaa authorization exec default local group tacacs+
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Leaving out the accounting (which I don't think relates to this issue), my understanding of the first 3 lines is that if you're connecting from SSH or Telnet, it will check the TACACS server first, and if the user isn't found there, then it will fail down to local. If you're connecting to console, it should use the local password regardless, and if you're enabling, it will check tacacs for the enable password and then fall back to local.
Is this correct? The most recent reason that TACACS wasn't working was because I forgot to put the tacacs server into the config so it could not reach out. In that case, it should have reverted to local, correct?
Would be helpful to understand exactly how AAA works from a failure perspective
Thanks,
Joel
Solved! Go to Solution.
07-22-2021 02:41 PM
aaa authorization exec default group tacacs+ local
You should have authorization TACACS then Local order.
suggest to try simple config as it working imrove extra addons.
i will start with
aaa new-model !
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
Is this correct? The most recent reason that TACACS wasn't working was because I forgot to put the tacacs server into the config so it could not reach out. In that case, it should have reverted to local, correct?
yes, this is the order of operation if the radius is not reachable you should be able to get local account access, make sure you have local accounts crated with priv 15, have 2 accounts for safety, before you locked the console.(to go for reset password)
07-22-2021 02:41 PM
aaa authorization exec default group tacacs+ local
You should have authorization TACACS then Local order.
suggest to try simple config as it working imrove extra addons.
i will start with
aaa new-model !
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
Is this correct? The most recent reason that TACACS wasn't working was because I forgot to put the tacacs server into the config so it could not reach out. In that case, it should have reverted to local, correct?
yes, this is the order of operation if the radius is not reachable you should be able to get local account access, make sure you have local accounts crated with priv 15, have 2 accounts for safety, before you locked the console.(to go for reset password)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide