09-08-2021 05:42 AM
hi,
i have an NCS router running IOX-XR.
there was some issue with routing on the MGMT VRF and reachability to ISE/TACACS+ so i tried to login using the local user/PW.
i was able to login/authenticate using the local account but i wasn't able to issue any commands.
can someone advise if there's a missing username 'group' that i should add or is there a missing AAA command 'authorization' line?
RP/0/RP0/CPU0:NCS#sh ip int b
Command authorization failed
RP/0/RP0/CPU0:NCS#conf t
Command authorization failed
RP/0/RP0/CPU0:NCS#sh run aaa
Wed Sep 8 12:32:07.570 UTC
username cisco-admin
group root-lr
group cisco-support
secret <SECRET PW>
!
aaa accounting exec default start-stop group ISE-GRP
aaa accounting system default start-stop group ISE-GRP
aaa accounting commands default stop-only group ISE-GRP
aaa group server tacacs+ ISE-GRP
vrf Mgmt-intf
server-private 10.1.1.2 port 49
key <KEY>
!
!
aaa authorization exec default group ISE-GRP local
aaa authorization commands default group ISE-GRP
aaa authentication login default group ISE-GRP local
RP/0/RP0/CPU0:NCS#conf t
Wed Sep 8 12:30:35.931 UTC
RP/0/RP0/CPU0:NCS(config)#username cisco-admin
RP/0/RP0/CPU0:NCS(config-un)#group ?
WORD Name of the user group
cisco-support Cisco support personnel
maintenance Maintenance group
netadmin Network administrators group
operator Operator group
provisioning Provisioning group
read-only-tg Read only group
retrieve Retrieve group
root-lr Root LR group
serviceadmin Service administrators group
sysadmin System administrators group
WORD Name of the user group
09-08-2021 05:52 AM
Hello @johnlloyd_13 ,
you should provide fallback to local for both authorization commands
>>aaa authorization exec default group ISE-GRP local
aaa authorization commands default group ISE-GRP ! here local is missing
aaa authentication login default group ISE-GRP local
Hope to help
Giuseppe
09-08-2021 05:59 AM
hi giuseppe,
i did check on that earlier. there's no 'local' available as a fallback method?
i was thinking maybe i could set it to 'none' for the second method?
RP/0/RP0/CPU0:NCS#conf t
Wed Sep 8 12:56:41.600 UTC
RP/0/RP0/CPU0:NCS(config)#aaa authorization commands default group ISE-GRP ?
group Use Server-group
none no authorization
<cr>
09-08-2021 06:37 AM - edited 09-08-2021 06:45 AM
Hello @johnlloyd_13 ,
in IOS and IOS XE there sholuld be an authenticated or already-authenticate option that would be a fit for your needs
if-autenticated should be the exact keyword in IOS / IOS XE.
you need to find the equivalent for IOS XR
Edit:
I see you have already provided available options I agree on none as fallback option otherwise in case of failure of AAA servers or conectivity issues you cannot change the configuration.
Hope to help
Giuseppe
09-08-2021 08:35 PM
hi giuseppe,
i added 'none' as the second/fallback method and it worked or didn't lock me out from issuing commands.
aaa authorization commands default group ISE-GRP none
RP/0/RP0/CPU0:Sep 9 03:16:11.364 UTC: ifmgr[302]: %PKT_INFRA-LINK-3-UPDOWN : Interface MgmtEth0/RP0/CPU0/0, changed state to Down
Username: cisco-admin
Password:
RP/0/RP0/CPU0:NCS#sh ip int b
Thu Sep 9 03:16:27.100 UTC
Interface IP-Address Status Protocol Vrf-Name
<SNIP OUTPUT>
09-10-2021 03:12 AM
Hello @johnlloyd_13 ,
this is fine.
have you tested if you are able to enter configuration mode when the AAA server is not reachable using the locally defined account ?
I think this is most critical part to check.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide