Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1994
Views
5
Helpful
7
Replies

AAA question

kelly.conley
Level 1
Level 1

‎01-13-2021 02:40 PM

Greetings,

I am the process of updating and standardizing our AAA configs. This is a current section:

 

aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec console none
aaa authorization commands 15 default group tacacs+ if-authenticated

 

My question is are "aaa authentication login console none" and "aaa authorization exec console none" doing anything? I remember being told years ago they are there for some obscure login scenario but I cant remember what it is. Taking them out doesn't seem to have any effect. Thoughts?

Labels:
0 Helpful
7 Replies 7

Mohammed al Baqari
Level 11
Level 11

‎01-14-2021 12:05 AM

Hi,

With your config, console access is blocked. Any user who tries to access
console and authenticate with fail. Some high security firms adopt that
model but the counter to this that you can't do console troubleshooting.

**** please remember to rate useful posts

kelly.conley
Level 1
Level 1
In response to Mohammed al Baqari

‎01-14-2021 07:37 AM

Thanks for the response. You would think that is the case but it is not.
Console access works with a local user as well as with tacacs.
0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni

‎01-14-2021 07:45 AM

Hi there, 

The none keyword instructs the aaa AuthC process to not look at any user datastores. The credentials must be stored on the line. What does sh run | beg line con look like?

 

cheers,

Seb.

0 Helpful

kelly.conley
Level 1
Level 1
In response to Seb Rupik

‎01-14-2021 07:58 AM

line con 0
exec-timeout 30 0
logging synchronous
0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to kelly.conley

‎01-14-2021 08:35 AM

This is very strange. Based on your config, console access shouldn't work.

Open an ssh session, debug aaa authentication with term monitor, then login
to console and post the output. Let's see what happens.

***** please remember to rate useful posts
0 Helpful

kelly.conley
Level 1
Level 1
In response to Mohammed al Baqari

‎01-14-2021 09:45 AM

So when the tacacs is available console login does not work. 

Jan 14 17:39:51.965: AAA/AUTHEN/LOGIN (0000001B): Pick method list 'default'

So I assume that this:

aaa authentication login default group tacacs+ local

is being used. when tacacs is not available console access fails to local even if "aaa authentication login console none" is used.

0 Helpful

kelly.conley
Level 1
Level 1
In response to Seb Rupik

‎01-14-2021 08:14 AM

It appears that because I have this line:

aaa authentication login default group tacacs+ local

 

Then this line:

aaa authentication login console none

 

That "login default" applies to the console and therefore "aaa authentication login console none" does nothing and console access is allowed if tacacs is not available.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card