05-12-2005 06:49 AM
Hello all
I had an issue yesterday where a remote location's link went down. We thought the router was configured for both local login and TACACS+ authentication. However, the TACACS+/RADIUS server is located at the other end of the line that was down. I arrived on-site and tried to login to the local router to start troubleshooting the issue. I was unable to login. It appeared to be looking for the tacacs server only, not allowing me to login with the local username/passwords. Fortunately we determined the problem was on the other end, and we got the connection back up. But now I want to fix it, I don't want to be stuck not being to login to that router without connectivity to the authenticating server. Bear in mind, I have little experience with tacacs+, and this stuff was added just in the past few months by an employee who has left the company. I am adding the tacacs+ portion of the config. Thanks
aaa new-model
tacacs-server host 10.20.1.61
aaa authentication login default tacacs+ radius
aaa authentication login use-radius local
aaa authentication enable default line
aaa authentication ppp user-radius if-needed radius
aaa authorization exec default tacacs+ local
aaa authorization network default radius
!
username $$$port privilege 15 password 7
username $$$er password 7
username $$$ovan password 7
username $$$rs password 7
username $$$$o privilege 15 password 7
05-12-2005 09:30 AM
On the first aaa authentication statement, add the work "line" at the end. This allows the local passwords to be used if tacacs or radius are unavailable. A line from one of our routers:
aaa authentication login default group tacacs+ line
In an emergency you can go through the password recovery process if you must get to the router.
Good Luck!
05-13-2005 09:02 AM
Eric
I see several things in this that I would suggest changing. The line:
aaa authentication login default tacacs+ radius
specifies your primary authentication for logging in on the router. And it says try TACACS and then try radius and it does not say anything about what to do if you can not get to either of them. My first question is whether you have both TACACS and radius servers doing authentication in your network? If you do not have both then I would remove the reference to the one that you do not have.
There are two options that you can use in situations where you can not get responses from the authentication servers: one is local authentication using user IDs and passwords configured on the local router. The other option is to use the configured line passwords. If you want to authenticate with backup local user ID (I notice that you do have user IDs configured on the router for some purpose) then I would configure like this:
aaa authentication login default tacacs+ radius local
and if you want to backup authentication using the configured line passwords then I would configure like this:
aaa authentication login default tacacs+ radius line
I would question the configuration of:
aaa authentication enable default line
which says that for enable authentication that you should use line passwords. I doubt that this is what you really want. Most of the time what I see for this function says go to the authentication server first and if no answer from it use the configured enable password or the configured enable secret. The config would look like this:
aaa authentication enable default tacacs+ enable
I would also suggest a change in your configuration of authorization which currently says:
aaa authorization exec default tacacs+ local
I do not think that local works very well in this context. I would suggest using:
aaa authorization exec default tacacs+ if-authenticated
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide