cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1738
Views
0
Helpful
7
Replies

Unable to acces a Switch through SSH

David Calvillo
Level 1
Level 1

Hi everyone!

I have this switch with a username called "Backup" with default priviledges, then i applied TACACS and worked, i can access trough usernames declared in tacacs server or through the Backup user cofnigured locally.

Then i wanted to configure a new user called "david" like this:

username david secret [Password]

but when i try to access through SSH with the user david i can't access, it says Access denied...

So my question is, why the user "Backup" can access, but "David" cannot? They are configured the same way

Be grateful for the good times that make you happy and for the bad times that taugth you a lesson!
1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Normally a device uses the aaa method list in order. If there is a TACACS server defined and available we cannot normally use the local username to login.

Can you share your aaa configuration?

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

Normally a device uses the aaa method list in order. If there is a TACACS server defined and available we cannot normally use the local username to login.

Can you share your aaa configuration?

Hello, we are having a similar issue using ISE based TACACS+ with dot1x on our edge devices, 9300's. Our aaa new-model setup has local following our aaa authentication  and authorization entries. Some time ago it was stated that if we had local at the end of these lines then if the username wasn't discovered in TACACS+ it will drop through and eventually check the local username and allow SSH; however, we haven't experienced this. Our line con 0 looks like this:

line con 0
exec-timeout 9 0
privilege level 0
logging synchronous
login authentication CONSOLE
stopbits 1
line vty 0 4
access-class 3 in
exec-timeout 9 0
privilege level 0
logging synchronous
login authentication VTY
transport input ssh
transport output ssh

should the priv level change from 0 to 15 or is it just not possible to access an edge device that uses RADIUS/TACACS+ by local user name either via ssh or console connection?

@Eric R. Jones the line "login authentication CONSOLE" implies your have a aaa method named "CONSOLE" elsewhere in the configuration. If TACACS is in that method prior to local AND a defined TACACS server is available, then the local user(s) will never be allowed to authenticate.

I changed the line to "aaa authentication login CONSOLE local" and it began working on our test switches and one production switch. So far no errors.

So the other shoe dropped. I changed our aaa settings from aaa authentication login CONSOLE group tacacs+ local, to aaa authentication login CONSOLE local matching our line con 0 configuration only to be meet with aaa authorization console (all lower case) which stopped me from logging in via the console port. My test switch didn't have this line and a few others. I had to go line by line until I found the offending one. 

I figured this was allowing access for line con 0. The reading I did stated "aaa authorization console is a hidden command. We have to execute this command to enable authorization for console line. If you create a method list "aaa authorization exec CONSOLE group radius local" for console and try to apply it on line console 0, it will throw an error that without "aaa authorization console" all authorization commands for console is useless. You have to first enable authorization for console with the help of aaa authorization console." 

Not sure why we have it as removing that line but keeping the other setting doesn't stop us from logging in via console port nor prevent the use of commands in config t mode. 

I'll have to play around with it a bit more and see what happens.

As Marvin has mentioned, if a TACACS server is configured for device login and available (i.e. online and reachable) locally defined users are not available.  It is possible that the Backup user is also defined on the TACACS server.

--
Please remember to select a correct answer and rate helpful posts

David Calvillo
Level 1
Level 1

I realized that my configuration for vty lines changed the login parameter (login local) after i turned on AAA, so all i had to do is turned off TACACS and type:

Line vty 0 15

login local

and thats it

Thanks anyway!

Be grateful for the good times that make you happy and for the bad times that taugth you a lesson!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: