cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1841
Views
0
Helpful
8
Replies

Configuring AAA to include local auth for Console connections

Jeff Bull
Level 1
Level 1

Recently realized, during a maintenance window, that my AAA configurations are not set to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct setup. Below is what I have configured today:

 

aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ 
aaa accounting commands 15 default start-stop group tacacs+

 

tacacs-server host x.x.x.x
tacacs-server timeout 120
tacacs-server directed-request
tacacs-server key <key>

1 Accepted Solution

Accepted Solutions

Okay... if you want that, you're going to need to configure a fallback option on your aaa login and enable authentication lines. Throw a "local" keyword on the end of those and that will get you what you're looking for.

I'm a bit concerned that the "aaa authentication console" isn't showing up in your configuration. It makes me think that it will only survive until the next reload.

Are you running at the latest revision of your IOS version?

View solution in original post

8 Replies 8

ghostinthenet
Level 7
Level 7

Just add "aaa authorization console" and you should be good.

Would I add that as a separate line, or to the current one? Examples:

 

aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ 
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization console

    OR

aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ console
aaa accounting commands 15 default start-stop group tacacs+

 

It's a separate line. AAA is disabled on the console by default. Adding that line enables it.

Hmm, that's interesting. The config I pasted in at the beginning is what I have now, yet my console port is forcing AAA to be used in order to log in.

So a "show run | i aaa authorization console" doesn't show anything, but you're getting the behaviour you wanted? What IOS version are you running? I have a vague memory of some of the older ones not recording that command, but it's been awhile.

Sure thing (see below)! My preference is that the Console port either uses AAA up front and falls back to local credentials if ACS becomes unavailable, or that the Console port only uses local credentials.

 

CORE1#sh run | i aaa authorization console
CORE1#sh run | i aaa
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ 
aaa accounting commands 15 default start-stop group tacacs+

Okay... if you want that, you're going to need to configure a fallback option on your aaa login and enable authentication lines. Throw a "local" keyword on the end of those and that will get you what you're looking for.

I'm a bit concerned that the "aaa authentication console" isn't showing up in your configuration. It makes me think that it will only survive until the next reload.

Are you running at the latest revision of your IOS version?

Older 4507's, running 12.2(50)SG3, so not entirely surprised some config's are having issues. Hoping to replace next year.

 

Thanks again for the help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco