cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1132
Views
0
Helpful
8
Replies
Highlighted
Beginner

Configuring AAA to include local auth for Console connections

Recently realized, during a maintenance window, that my AAA configurations are not set to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct setup. Below is what I have configured today:

 

aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ 
aaa accounting commands 15 default start-stop group tacacs+

 

tacacs-server host x.x.x.x
tacacs-server timeout 120
tacacs-server directed-request
tacacs-server key <key>

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Okay... if you want that, you're going to need to configure a fallback option on your aaa login and enable authentication lines. Throw a "local" keyword on the end of those and that will get you what you're looking for.

I'm a bit concerned that the "aaa authentication console" isn't showing up in your configuration. It makes me think that it will only survive until the next reload.

Are you running at the latest revision of your IOS version?

View solution in original post

8 REPLIES 8
Highlighted
Rising star

Just add "aaa authorization console" and you should be good.

Highlighted

Would I add that as a separate line, or to the current one? Examples:

 

aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ 
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization console

    OR

aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ console
aaa accounting commands 15 default start-stop group tacacs+

 

Highlighted

It's a separate line. AAA is disabled on the console by default. Adding that line enables it.

Highlighted

Hmm, that's interesting. The config I pasted in at the beginning is what I have now, yet my console port is forcing AAA to be used in order to log in.

Highlighted

So a "show run | i aaa authorization console" doesn't show anything, but you're getting the behaviour you wanted? What IOS version are you running? I have a vague memory of some of the older ones not recording that command, but it's been awhile.

Highlighted

Sure thing (see below)! My preference is that the Console port either uses AAA up front and falls back to local credentials if ACS becomes unavailable, or that the Console port only uses local credentials.

 

CORE1#sh run | i aaa authorization console
CORE1#sh run | i aaa
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ 
aaa accounting commands 15 default start-stop group tacacs+

Highlighted

Okay... if you want that, you're going to need to configure a fallback option on your aaa login and enable authentication lines. Throw a "local" keyword on the end of those and that will get you what you're looking for.

I'm a bit concerned that the "aaa authentication console" isn't showing up in your configuration. It makes me think that it will only survive until the next reload.

Are you running at the latest revision of your IOS version?

View solution in original post

Highlighted

Older 4507's, running 12.2(50)SG3, so not entirely surprised some config's are having issues. Hoping to replace next year.

 

Thanks again for the help!

Content for Community-Ad