05-17-2020 03:02 PM
Hi everyone!
I have this switch with a username called "Backup" with default priviledges, then i applied TACACS and worked, i can access trough usernames declared in tacacs server or through the Backup user cofnigured locally.
Then i wanted to configure a new user called "david" like this:
username david secret [Password]
but when i try to access through SSH with the user david i can't access, it says Access denied...
So my question is, why the user "Backup" can access, but "David" cannot? They are configured the same way
Solved! Go to Solution.
05-18-2020 05:21 AM
Normally a device uses the aaa method list in order. If there is a TACACS server defined and available we cannot normally use the local username to login.
Can you share your aaa configuration?
05-18-2020 05:21 AM
Normally a device uses the aaa method list in order. If there is a TACACS server defined and available we cannot normally use the local username to login.
Can you share your aaa configuration?
05-15-2023 02:21 PM
Hello, we are having a similar issue using ISE based TACACS+ with dot1x on our edge devices, 9300's. Our aaa new-model setup has local following our aaa authentication and authorization entries. Some time ago it was stated that if we had local at the end of these lines then if the username wasn't discovered in TACACS+ it will drop through and eventually check the local username and allow SSH; however, we haven't experienced this. Our line con 0 looks like this:
line con 0
exec-timeout 9 0
privilege level 0
logging synchronous
login authentication CONSOLE
stopbits 1
line vty 0 4
access-class 3 in
exec-timeout 9 0
privilege level 0
logging synchronous
login authentication VTY
transport input ssh
transport output ssh
should the priv level change from 0 to 15 or is it just not possible to access an edge device that uses RADIUS/TACACS+ by local user name either via ssh or console connection?
05-15-2023 08:59 PM
@Eric R. Jones the line "login authentication CONSOLE" implies your have a aaa method named "CONSOLE" elsewhere in the configuration. If TACACS is in that method prior to local AND a defined TACACS server is available, then the local user(s) will never be allowed to authenticate.
05-16-2023 05:58 PM
I changed the line to "aaa authentication login CONSOLE local" and it began working on our test switches and one production switch. So far no errors.
05-16-2023 09:47 PM
So the other shoe dropped. I changed our aaa settings from aaa authentication login CONSOLE group tacacs+ local, to aaa authentication login CONSOLE local matching our line con 0 configuration only to be meet with aaa authorization console (all lower case) which stopped me from logging in via the console port. My test switch didn't have this line and a few others. I had to go line by line until I found the offending one.
I figured this was allowing access for line con 0. The reading I did stated "aaa authorization console is a hidden command. We have to execute this command to enable authorization for console line. If you create a method list "aaa authorization exec CONSOLE group radius local" for console and try to apply it on line console 0, it will throw an error that without "aaa authorization console" all authorization commands for console is useless. You have to first enable authorization for console with the help of aaa authorization console."
Not sure why we have it as removing that line but keeping the other setting doesn't stop us from logging in via console port nor prevent the use of commands in config t mode.
I'll have to play around with it a bit more and see what happens.
05-19-2020 12:05 AM
As Marvin has mentioned, if a TACACS server is configured for device login and available (i.e. online and reachable) locally defined users are not available. It is possible that the Backup user is also defined on the TACACS server.
05-19-2020 08:23 PM
I realized that my configuration for vty lines changed the login parameter (login local) after i turned on AAA, so all i had to do is turned off TACACS and type:
Line vty 0 15
login local
and thats it
Thanks anyway!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide