Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
2
Helpful
3
Replies

TACACS Authorization

proxymaster
Level 1
Level 1

‎05-12-2023 07:58 AM

Hi everyone,

I need to migrate an old Cisco Secure ACS to a new TACACSGUI.
Old ACS run on two servers (XX.XX.XX.XX and YY.YY.YY.YY), while the new server is ZZ.ZZ.ZZ.ZZ.

This was the previous configuration:

aaa group server tacacs+ TACACS-GROUP-SERVER
   server XX.XX.XX.XX
   server YY.YY.YY.YY

tacacs-server key 7 ENCRYPTED_KEY
tacacs-server host XX.XX.XX.XX
tacacs-server host YY.YY.YY.YY

aaa authentication login default group TACACS-GROUP-SERVER local
aaa authentication login console group TACACS-GROUP-SERVER local
aaa authorization exec default group TACACS-GROUP-SERVER local
aaa authorization commands all default group TACACS-GROUP-SERVER local

 

Then I made a rookie mistake.

I added the new server to the aaa group and removed the old ones, but I did not added the command line tacacs-server host ZZ.ZZ.ZZ.ZZ.


aaa group server tacacs+ TACACS-GROUP-NAME

   server ZZ.ZZ.ZZ.ZZ

 

A moment later I lost connection and I'm locked out of the router.

 

Now, using local router accounts I'm able to get into EXEC mode, but I'm not authorized to do a configure terminal. It returns this error:
% Authorization denied for command 'configure terminal'.

I tried to change the "Shell Command Authorization Set" and other User Setup configurations on old ACS server, but it doesn't seem to make a difference.

I'm able to authenticate on old ACS server (even show logs on old ACS GUI) through the command test aaa group tacacs+ USERNAME PASSWORD.

Using old ACS/new TACASGUI registered accounts, I can't even login. None of the three servers register any log of authentication or authorization attempts.


Any suggestions on how to bypass TACACS to be able to configure terminal again?

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎05-12-2023 08:05 AM

@proxymaster you can reboot the router, the configuration will revert to the previously saved version without the new TACACS server.

Or perhaps you could define a null route to ZZ.ZZ.ZZ.ZZ on the upstream switch/router, so the router you cannot login to is unable to communicate with the new TACACS server and therefore you should be able to login using a local user account.

proxymaster
Level 1
Level 1
In response to Rob Ingram

‎05-12-2023 08:22 AM

Hi Rob, thanks for the quick response!

I think that rebooting the device will be a last resort option for me.

So, if no TACACS server is available the local authentication/authorization is taken by default?

0 Helpful

Rob Ingram
VIP
VIP
In response to proxymaster

‎05-12-2023 08:42 AM

@proxymaster yes it should fail back to local authentication if TACACS is unavailable.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card