cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
838
Views
0
Helpful
1
Replies

SG300-20 AAA Tacacs fallback issue

j.schouwenburg
Level 1
Level 1

Hello, I have an issue with the following tacacs config:

enable password blabla123!
aaa authentication login default tacacs enable
aaa authentication enable default tacacs enable
line telnet
login authentication default
enable authentication default
password blabla456!
line ssh
login authentication default
enable authentication default
password blabla789!
!

So my goal is to use tacas as the default authentication mechenism and fallback to the enable password if tacacs is unavailable. All works fine with tacacs. When tacacs is unavailable I get prompted for a password instead of a username. So far all works as expected. Now I try to enter the configured enable password or any of the other configered passwords, but all fail to work. Pressing enter instead (so no password) will grant me access to the exec level, that is totally wrong! From exec I can then enter the enable mode by supplying the enable password.

Is the entering of exec level without a password a bug or is my configuration wrong?

Running 1.4.0.88

1 Reply 1

j.schouwenburg
Level 1
Level 1

Hello, I want to supply this issue with some extra information and experience:

  • "aaa authentication login default tacacs line" instead of "aaa authentication login default tacacs enable" does fall-back to the line password so that one works. So "tacacs enable" not working is definitely a bug
  • Configuring the switch with "aaa authentication login default tacacs line" works although I found another bug. After a reload the line telnet and line ssh work with tacacs, but the line console gives three chances to login with only the line password. The right password grants access or when three times the wrong password is supplied the username prompt starts working. That should absolutely not happen
  • Logging authentication success and failure works when using the tacacs authentication, but when the fall-back authentication (line) is used as a fall-back then only successful authentication requests are logged, not the unsuccessful. This could be a bug or at least a feature request
  • Feature request: a way to close the console port completely (no exec). Now I used a workaround for all the former issues: "aaa authentication login default radius" and configure a not existing radius server. Then all console access is blocked, also after a reload

All in all it is quite frustrating that all the basic knowledge that Cisco owns in IOS/XE/XR is not really incorporated into this OS. Some feedback would be appreciated.