06-13-2019 01:48 PM - edited 06-13-2019 01:49 PM
Hi,
I've got a switch with the following AAA config, which let's me log in via SSH with local accounts as expected.
aaa new-model ! aaa group server tacacs+ TACGRP server name tac1 server name tac2 ip tacacs source-interface Vlan1 ! aaa authentication login AUTH-TAC group TACGRP local ! aaa authorization exec default local aaa accounting update newinfo ! aaa session-id common ! line vty 0 4 transport input ssh !
The TACACS commands above are at this point not doing anything. I then enable TACACS authentication on the VTY lines.
line vty 0 4 login authentication AUTH-TAC !
At this point, authentication events start going to TACACS and succeeds, but authorization starts failing. The login is accepted but before any prompt is displayed (user or exec), I get the "% Authorization failed." error. Local account cannot log in at this point either, so essentially I'm locked out if I close the current session.
I'm not sure why authorization is failing, since it should still be local. I cannot see any authorization attempts on the TACACS server, which is correct. I've followed the same process on other switches (same IOS) and at this point TACACS users can log in, are placed into user mode and have to use the local enable password to get into exec mode. Below are the relevant debug logs.
: TPLUS: Invalid Client information received as input
: AAA/AUTHOR (0x870): Pick method list 'default' - FAIL
: AAA/AUTHOR/EXEC(00000870): Authorization FAILED
The switch also has some Radius config but only dot1x/network related, not authentication/authorization.
Image: C2960X-UNIVERSALK9-M, 15.2(2)E4, RELEASE SOFTWARE (fc2)
Any help appreciated.
Solved! Go to Solution.
06-16-2019 03:57 PM
The issue was with the 'aaa authorization exec default local' command already being present on this device.
I guess it makes sense, because by default VTY lines use the default authorization list for authorization, so when a user logs in via VTY it tries to authorize them locally, but it can't as the account doesn't exist. By removing this line, we tell the switch not to authorize people getting into priv mode, at which point it'll just prompt for the enable password. I think creating a local account with the same username/pwd would have also worked as a test.
no aaa authorization exec default local
06-16-2019 03:57 PM
The issue was with the 'aaa authorization exec default local' command already being present on this device.
I guess it makes sense, because by default VTY lines use the default authorization list for authorization, so when a user logs in via VTY it tries to authorize them locally, but it can't as the account doesn't exist. By removing this line, we tell the switch not to authorize people getting into priv mode, at which point it'll just prompt for the enable password. I think creating a local account with the same username/pwd would have also worked as a test.
no aaa authorization exec default local
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide