cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
56836
Views
5
Helpful
13
Replies

Tacacs and local users AAA

bendali10
Level 1
Level 1

hi.

i have many types of cisco devices such as:

* catalyst's switches (2960, 3560, 2950,4500 chassis, etc... )

* Nexus 5548.

* Nexus 7000.

* Nexus 4K.

i have configure a tacas server and it works fine.

but i have many problems:

1. when i login with a tacacs user it logs me in without exec mode (enable mode).

2. i want to be able to login via console with a local username and password (even when the tacacs server is alive).

3. for now i have configured only the Catalyst's Switches. but i dont know the proper commands to the Nexus OS's (5k, 7k, i understand that the configuration between the nexus models is different..)...

i am testing all the environment with a "test switch" (Catalyst 2960) my current configuration is:

"

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

!

!

!

!

aaa session-id common

!

ip default-gateway 1.1.1.1

ip http server

ip http secure-server

tacacs-server host 1.1.1.2

tacacs-server key 7 1427171F09161A2E2A08

tacacs server TACACS-SRV

!

!

!

!

line con 0

line vty 0 4

transport input ssh

line vty 5 15

!

end

"

Any suggestions?

13 Replies 13

kcnajaf
Level 7
Level 7

Hi Bendali,

Try below modifcations.

1. when i login with a tacacs user it logs me in without exec mode (enable mode).

I thought your existing configuration would have taken you to enable mode. Since it is not try reconfiguring the aaa as below to go tor enable mode

no aaa authentication login default group tacacs+ local

aaa authentication login TACACS group tacacs+ local
line vty 0 4

login authentication TACACS


2. I want to be able to login via console with a local username and password (even when the tacacs server is alive)

To use local console login modify configuration as below

username Cisco priv 15 password Cisco

line console 0

login local

3. for now i have configured only the Catalyst's Switches. but i dont know the proper commands to the Nexus OS's

A typical confogiration for Nexus 7k looks as below.

aaa group server tacacs+ AAA-Server
aaa authentication login default group AAA-Server

feature tacacs+
ip tacacs source-interface Vlan2
tacacs-server host [ip address] key 7 "TEST"
aaa group server tacacs+ TacServer
     server [ip address]
    use-vrf
aaa authentication login default group TacServer
tacacs-server directed-request

Hope this helps.

Regards

Najaf

Please rate when applicable or helpful !!!


1. i have change the TACACS group to TACACS-SRV and it works fine but still not in exec mode (enable mode)

2. i try to configure "login local" under "line con 0" but it shows:

AAA: Warning authentication list "local" is not defined for LOGIN.

i wanted him to use the "Cisco" user under login local but it didnt help..

what does it means?

3. in the config command: ip tacacs source-interface Vlan2.

what does it means?

Hi,

Which version of IOS you are running.

1) Try adding another line as below

aaa authentication login TACACS group tacacs+ local

no aaa authentication login default group tacacs+ local

aaa authentication login TACACS group tacacs+ local
line vty 0 4

login authentication TACACS

Hope you are configuring this in the same line order.

2) Try modifying config as below

aaa authentication login no_tacacs local

line con 0

login authentication no_tacacs

3) This command ensures the tacacs request is orginated from vlan 2 in this case. For your configuration you will have find the right interface and put in there instead of vlan 2. Please be aware that what ever interface ip address which you are using here should be added as aaa client on the ACS server.

Hope that helps.

Regards

Najaf

i am running IOS 15.0(2)SE

1. yes i am posting that in the same order.

    when i try to add "no aaa authentication login default group tacacs+ local" it shows me:

    Authentication method list update failed!!

2. when i try " login authentication no_tacacs"

it shows me:

AAA: Warning authentication list "no_tacas" is not defined for LOGIN.

3. thanks for the verification.

ben

Hi Ben,

I would request to wipe all aaa configuration (use no aaa new-model) and apply one by one in below order.

username Cisco priv 15 password Cisco


aaa new-model

aaa authentication login no_tacacs local

aaa authentication login TACACS group tacacs+ local


line con 0

login authentication no_tacacs


line vty 0 4

login authentication TACACS

Let me know how is goes.

Regards

Najaf

Hi Najaf.

sorry for the Deelay.i was OOO (out of office).

ok so i did what you posted and it works. i am able to login with local user thru CONSOLE and i am able to login thru SSH with a tacacs user..but i have some questions:

1. when i loggen in ith a local or a tacas user i'm still not in exec mode.

2. before i configure those commands when i login with a tacacs user the "enable" password was the tacacs user password. and right now the enable password is the "local enable secret".why?

3. i created in the tacacs server two user groups with a different permissions and when i am logged in with one of the both group users they have the same permissions (before this config i tested it and there was a difference between the users that are member of two different groups in the tacacs server...).

4. what happends to the accounting on the tacacs server? because in this config i dont have any configuration about "aaa accounting"?

Regards...

ben

Hi Ben,

I didnt notice your reply. Sorry for that.

For point 1 could you please provide full aaa configuration currently you are using.

For point 2 you could additional command which will enable you to use your tacacs password from ACS.

aaa authentication enable default tacacs+ enable

For point 3 im not sure why this is happening? What access permission you have restricted between users of both groups.

For point 4 you need to enable "aaa accouting"

Regards

Najaf

Hi Najaf.

1. I configured all what you recommended. But I will insert all my current configuration in the bottom of this post.

2. I configured the “aaa authentication enable default tacacs+ enable” and it works fine and use the user password to switch to “enable mode”. But when I login with the Cisco user via CONSOLE it doesn’t let me to use the local enable secret.it shows me “User does not belong to specified group”.

3. I have created 2 groups in the tacacs server:

    • Cisco admin group
    • Cisco RO group (RO=read only)

The “cisco admin group”  - have the highest level permissions and can execute every command.

The cisco RO group – can switch to “enable mode” and from “enable mode” to disable mode”. He also can run all the “show” commands but cant execute any other command such as “reload”,  “dir”, “wr” etc…

I have tested it and it was working before I configure the last commande you recommended.

4. Thanks. I will configure the accounting according to the authentication methods.

My current config is:

Current configuration : 1989 bytes

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname tacacs_Switch

!

boot-start-marker

boot-end-marker

!

enable secret 4 lkdsjfklfjsdlkfjs4823748!@#$@#498fhsflkjfs

!

username admin privilege 15 password 7 XXXXXXXXXXXXXXXXX

username Cisco privilege 15 password 7 XXXXXXXXXXXXX

aaa new-model

!

!

aaa authentication login no_dce-mgmt00 local

aaa authentication login dce-mgmt00 group tacacs+ local

!

!

!

!

!

aaa session-id common

system mtu routing 1500

!

!

no ip domain-lookup

ip domain-name test.local

!

!

!

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

ip ssh rsa keypair-name sshkeys

!

!

!

!

!

interface FastEthernet0/1

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface GigabitEthernet0/1

description upplink to HP switch

!

interface GigabitEthernet0/2

!

interface Vlan1

description tacacs ip switch ip

ip address 1.1.1.10 255.255.255.0

!

ip default-gateway 1.1.1.1

ip http server

ip http secure-server

tacacs server dce-mgmt00

address ipv4 1.1.1.2

key 7 0034161201493B030101

!

!

!

!

line con 0

login authentication no_dce-mgmt00

line vty 0 4

login authentication dce-mgmt00

transport input ssh

line vty 5 15

!

end

"

BR

Ben

Hi Ben,

For the console access you have to use the username and password associated with the username Cisco if you are trying to autheticate using that credentials. If you try to use the enable secret it will not work. You have configured the Cisco username as privellage level 15 and hence this will not ask you enable password when you try to login to console since this username already have level 15 privellage.

For point 3 could be brief which command are you refering here? "I have tested it and it was working before I configure the last commande you recommended"

Please try after removing this command and see if that works as expected.

Regards

Najaf

Hi.

Unfortunately when i login thru CONSOLE with the user "Cisco" it still logs mm in "disabled mode" and to switch to exec mode i must use the "enable password" even that i configured the Cisco user to privilege 15.

for point 3. i tested two users on the switch.

each user is a member of a different group.

user A1 is member of "cisco admin group" and user B2 is member of "cisco RO group".

before i configured the following commands you recommended I was not able to run the “reload” command with the user B2 (and that’s was good because these are one of the restrictions of the group).but after I configured these commands he can run the “reload” or any command that should be restricted to this users because he is a member of “cisco RO group” (in the tacacs server).

username Cisco priv 15 password Cisco

aaa new-model

aaa authentication login no_tacacs local

aaa authentication login TACACS group tacacs+ local

line con 0

login authentication no_tacacs

line vty 0 4

login authentication TACACS

only user that is a member of “cisco admin groups” should have the permissions to run any commands and not users from “cisco RO groups”.

Suggestions?

Regards

Ben

Hi Ben,

For point 1 which version of IOS you are running? This should work as expectedand not sure why this is not working for you. Also i'm not sure what you meant here by "it still logs mm in "disabled mode"".

For point 3 you could try setting authetrization with below commands.

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

Regards

Najaf

my switch version:

Switch Ports Model              SW Version            SW Image

------ ----- -----              ----------            ----------

*    1 26    WS-C2960-24TT-L    15.0(2)SE             C2960-LANBASEK9-M

for point 3 i tried to run the last commands but it didnt reach our goal..

Regards.

ben

Andre Toms
Level 1
Level 1

On the tacacs server (if youre running in linux anyway) you need to set privilege 15 for the admin group or user you have configured. Here is a snippet of my configuration for example:

        group = lv15 {

                default service = permit

                service = shell {

                        default command = permit

                        default attribute = permit

                        set priv-lvl = 15

                }

        }

Here you can see that it specifically sets ANY USER WHO MATCHES THIS GROUP to privilege level 15. This ties into an LDAP backend where users are added to the group that they need to be in.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: