cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5209
Views
2
Helpful
5
Replies

AAA configuration with ISE TACACS+ and edge switches

Eric R. Jones
Level 4
Level 4

Our AAA configuration currently prevents us from logging into an edge switch via console cable. I found that the line preventing this is "aaa authorization console". When that is used in conjunction with "aaa authentication login CONSOLE local" we get the fun %authorization failure popup. When "aaa authorization console" is removed we are able to access the switch via console cable with no issues. The "line con 0" has "login authentication CONSOLE" added but it seems to work whether this line is in there or not.

I have read an article explaining the reason for "aaa authorization console", https://www.wiresandwi.fi/blog/solid-config-cisco-aaa-tacacs-and-password-best-practices. Since we use ISE for our RADIUS / TACACS+ if TACACS+ is down most likely ISE is down and we have way more issues to worry about then consoling into an edge switch. 

So if anyone has had this issue and resolved it where both configuration lines are in the configuration let me know.

ej

 

 

5 Replies 5

srigovi2
Cisco Employee
Cisco Employee

Hi Eric , 

In IOS by default, Cisco does not perform authorization on the console. When you configure aaa authorization it is applied to vty but not to the console. Basically, this is to make it harder for you to lock yourself out of the router or switch. If you want authorization to be applied on the console then you must explicitly configure it (and be very careful that it is configured correctly or you can wind up being locked out of the router - think especially of how it will work when you can not get to the external aaa server that is normally doing the authorization).

 

-------------------------------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about ISE through our live Ask the Experts (ATXs) session. Check out Cisco ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-------------------------------------------------------------

 

Thanks,

G.Srinivasan

Can I know all config, İ am so interesting in this case

Thanks 

MHM

aaa authentication login default group"GROUPNAME"local
aaa authentication login VTY group"GROUPNAME"local
aaa authentication login CONSOLE group"GROUPNAME"local
aaa authentication enable default group"GROUPNAME"enable
aaa authentication dot1x default group "GROUPNAME"
aaa authorization exec default group"GROUPNAME"local
aaa authorization network default group "GROUPNAME"
aaa authorization commands 0 default group"GROUPNAME"local if-authenticated
aaa authorization commands 1 default group"GROUPNAME"if-authenticated
aaa authorization commands 7 default group"GROUPNAME"local if-authenticated
aaa authorization commands 15 default group"GROUPNAME"local if-authenticated
aaa authorization auth-proxy default group "GROUPNAME"
aaa authorization config-commands
aaa authorization console
aaa accounting network default

aaa accounting commands 15 default start-stop group ISE_CACGROUP
aaa accounting system default start-stop group ISE_CACGROUP
aaa accounting auth-proxy default start-stop group "GROUPNAME"
aaa accounting dot1x default start-stop group "GROUPNAME"
aaa accounting update newinfo periodic 2880

aaa server radius dynamic-author
client <IPaddress> server-key "#" "hash"
client <IPaddress> server-key "#" "hash"
client <IPaddress> server-key "#" "hash"
client <IPaddress> server-key "#" "hash"

radius server "servername"
address ipv4 <IPaddress> auth-port 1812 acct-port 1813
automate-tester username srf-test probe-on
key "key number#" "hash"

radius server "servername"
address ipv4 <IPaddress> auth-port 1812 acct-port 1813
automate-tester username srf-test probe-on
key "key number#" "hash#

radius server "servername"
address ipv4 <IPaddress> auth-port 1812 acct-port 1813
automate-tester username srf-test probe-on
key "key number#" "hash#

radius server "servername"
address ipv4 <IPaddress> auth-port 1812 acct-port 1813
automate-tester username srf-test probe-on
key "key number#" "hash#

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server deadtime 15
radius-server vsa send cisco-nas-port
tacacs server "servername"
address ipv4 <IPaddress>
key "key number#" "hash#
tacacs server "servername"
address ipv4 <IPaddress>
key "key number#" "hash#
tacacs server "servername"
address ipv4 <IPaddress>
key "key number#" "hash#
tacacs server "servername"
address ipv4 <IPaddress>
key "key number#" "hash#

aaa group server radius "GROUPNAME"
server name "servername"
server name "servername"
server name "servername"
server name "servername"

aaa group server tacacs+ ISE_CACGROUP
server name "servername"
server name "servername"
server name "servername"
server name "servername"

aaa new-model
aaa session-id common

Richard Burts
Hall of Fame
Hall of Fame

I am not clear whether you really want authorization on the console. As @srigovi2 points out Cisco does not do authorization on console by default (in large part to avoid the potential lockout from console access). If authorization for console is not important then leaving it out of the config is an easy solution. If you do really want authorization for console then you need to configure for 2 situations: when the authentication/authorizatioj server is available, and when the server is not available. If the server is available then you need to be sure that the user attempting login will be authorized. If the server is not available then you need to provide an alternative. I have had some success using if-authenticated as the fall back method.

HTH

Rick

Eric R. Jones
Level 4
Level 4

Thanks for the inputs. We resolved the issue via ISE. We created an Authorization policy-local exception rule called console Local "localswitchusername" access with an "AND" condition that checks TACACS-remote-address equals async || TACACS-user equals "localswitchusername" with the proper command set associated and the proper shell profile. This resovles the issue if TACACS servers are up. Should those servers be down then the switch resolves the issue after failing to connect to the remote server.

We did recently run into a vexing problem, Cisco Bug CSCwe36743. This bug breaks your AAA configuration if you should happen to setup TACACS groups. Specifically:
aaa group server tacacs+ "group name"
server name "servername1"
server name "servername2"
server name "servername3"
server name "servername4"

We could enter radius groups and all other statements for AAA but this one wouldn't take. At first it only seemed to affect stacked switches of 3 or more but it did begin affecting some single switches as well. We did manage to work around this by removing group references in the AAA Authorization and Authentication lines, deploying the changes without the TACACS group.  Theres a patch out,cat9k_iosxe.17.06.04.CSCwe36743.SPA.smu, that is supposed to address this. I got word that the next release, 17.06.06, is the permanent fix due out after Sept 30th 2023. We opted to wait for the full IOS and test that. This bug apparently affects all IOS-XE versions in the 17.6.X train up to the current one. 
!

 

Review Cisco Networking for a $25 gift card