TACACS+ Authentication Problems

anderse · ‎05-12-2005

Hello all

I had an issue yesterday where a remote location's link went down. We thought the router was configured for both local login and TACACS+ authentication. However, the TACACS+/RADIUS server is located at the other end of the line that was down. I arrived on-site and tried to login to the local router to start troubleshooting the issue. I was unable to login. It appeared to be looking for the tacacs server only, not allowing me to login with the local username/passwords. Fortunately we determined the problem was on the other end, and we got the connection back up. But now I want to fix it, I don't want to be stuck not being to login to that router without connectivity to the authenticating server. Bear in mind, I have little experience with tacacs+, and this stuff was added just in the past few months by an employee who has left the company. I am adding the tacacs+ portion of the config. Thanks

aaa new-model

tacacs-server host 10.20.1.61

aaa authentication login default tacacs+ radius

aaa authentication login use-radius local

aaa authentication enable default line

aaa authentication ppp user-radius if-needed radius

aaa authorization exec default tacacs+ local

aaa authorization network default radius

!

username $$$port privilege 15 password 7

username $$$er password 7

username $$$ovan password 7

username $$$rs password 7

username $$$$o privilege 15 password 7

bs6825 · ‎05-12-2005

On the first aaa authentication statement, add the work "line" at the end. This allows the local passwords to be used if tacacs or radius are unavailable. A line from one of our routers:

aaa authentication login default group tacacs+ line

In an emergency you can go through the password recovery process if you must get to the router.

Good Luck!

Richard Burts · ‎05-13-2005

Eric

I see several things in this that I would suggest changing. The line:

aaa authentication login default tacacs+ radius

specifies your primary authentication for logging in on the router. And it says try TACACS and then try radius and it does not say anything about what to do if you can not get to either of them. My first question is whether you have both TACACS and radius servers doing authentication in your network? If you do not have both then I would remove the reference to the one that you do not have.

There are two options that you can use in situations where you can not get responses from the authentication servers: one is local authentication using user IDs and passwords configured on the local router. The other option is to use the configured line passwords. If you want to authenticate with backup local user ID (I notice that you do have user IDs configured on the router for some purpose) then I would configure like this:

aaa authentication login default tacacs+ radius local

and if you want to backup authentication using the configured line passwords then I would configure like this:

aaa authentication login default tacacs+ radius line

I would question the configuration of:

aaa authentication enable default line

which says that for enable authentication that you should use line passwords. I doubt that this is what you really want. Most of the time what I see for this function says go to the authentication server first and if no answer from it use the configured enable password or the configured enable secret. The config would look like this:

aaa authentication enable default tacacs+ enable

I would also suggest a change in your configuration of authorization which currently says:

aaa authorization exec default tacacs+ local

I do not think that local works very well in this context. I would suggest using:

aaa authorization exec default tacacs+ if-authenticated

HTH

Rick

HTH

Rick