Solved: AAA Question - Console access if TACACS+ is up

RAMAN AZIZIAN · ‎08-10-2018

Hello Techies,

i have configured my switch to authenticate to TACACS via ISE. If my switch is communicating with TACACS, should I be able to access the console if I have specifically created a name list that indicates the authentication should be pointed to the local database?

When I do shut down the interface pointing to the TACACS, then I am able to access the console via my local user account that I have created.

Be glad to provide additional information if needed.

Thanks,

raman

Here's my config:

aaa new-model
!
aaa authentication login CON local
aaa authentication login VTY group ise-pan local
!
aaa authorization console
aaa authorization config-commands
aaa authorization exec CON local
aaa authorization exec VTY group ise-pan if-authenticated
aaa authorization commands 15 default group ise-pan local none
!
aaa accounting exec default start-stop group ise-pan
aaa accounting commands 15 default start-stop group ise-pan
aaa accounting system default start-stop group ise-pan

!
line con 0
authorization exec CON
login authentication CON
!
line vty 5 15
authorization exec VTY
login authentication VTY

paul driver · ‎08-10-2018

Hello

Try adding:

conf t
aaa authorization commands 0 CON none
aaa authorization commands 1 CON none
aaa authorization commands 15 CON none

line con 0
authorization commands 0 CON
authorization commands 1 CON
authorization commands 15 CON

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎08-10-2018

Hello

Try adding:

conf t
aaa authorization commands 0 CON none
aaa authorization commands 1 CON none
aaa authorization commands 15 CON none

line con 0
authorization commands 0 CON
authorization commands 1 CON
authorization commands 15 CON

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

RAMAN AZIZIAN · ‎08-13-2018

Hi Paul,

Thank you for taking the time and posting. I was able to apply what you suggested, and it is working now.

Have a great week.

raman

derek-shnosh · ‎08-10-2018

I just went through this yesterday on a new 3650 running IOS-XE 16.3.6. Using the same configuration, the switch was using the CON method list for login authentication, but using the VTY method list for authorization; i.e. sending exec and command authorizations to TACACS (ISE).

Ultimately I ended up with the following config to meet my requirements;

Config

line con 0
 exec-timeout 15 0
 logging synchronous
 login authentication CON
line vty 0 15
 exec-timeout 30 0
 logging synchronous
 transport input ssh
!
aaa authentication login CON local
aaa authentication login default group ISE-TACACS local
aaa authorization console
aaa authorization exec default local group ISE-TACACS if-authenticated

Results

Console connections use the CON method list to authenticate and the default method list to authorize against local switch user(s) privileges.
SSH connections use the default method list to authenticate and authorize against ISE/TACACS policies.
The default authorization method list includes local and the ISE-TACACS group; the users authorize to whichever credential/method they authenticated with.

RAMAN AZIZIAN · ‎08-13-2018

Hello Derek,

Thanks for taking the time to reply and provide suggestion. I will try what you have suggested. I did try what Paul provided and it is working.

Thanks,

raman