08-10-2018 01:24 PM - edited 03-08-2019 03:52 PM
Hello Techies,
i have configured my switch to authenticate to TACACS via ISE. If my switch is communicating with TACACS, should I be able to access the console if I have specifically created a name list that indicates the authentication should be pointed to the local database?
When I do shut down the interface pointing to the TACACS, then I am able to access the console via my local user account that I have created.
Be glad to provide additional information if needed.
Thanks,
raman
Here's my config:
aaa new-model
!
aaa authentication login CON local
aaa authentication login VTY group ise-pan local
!
aaa authorization console
aaa authorization config-commands
aaa authorization exec CON local
aaa authorization exec VTY group ise-pan if-authenticated
aaa authorization commands 15 default group ise-pan local none
!
aaa accounting exec default start-stop group ise-pan
aaa accounting commands 15 default start-stop group ise-pan
aaa accounting system default start-stop group ise-pan
!
line con 0
authorization exec CON
login authentication CON
!
line vty 5 15
authorization exec VTY
login authentication VTY
Solved! Go to Solution.
08-10-2018 01:35 PM - edited 08-10-2018 01:36 PM
Hello
Try adding:
conf t
aaa authorization commands 0 CON none
aaa authorization commands 1 CON none
aaa authorization commands 15 CON none
line con 0
authorization commands 0 CON
authorization commands 1 CON
authorization commands 15 CON
08-10-2018 01:35 PM - edited 08-10-2018 01:36 PM
Hello
Try adding:
conf t
aaa authorization commands 0 CON none
aaa authorization commands 1 CON none
aaa authorization commands 15 CON none
line con 0
authorization commands 0 CON
authorization commands 1 CON
authorization commands 15 CON
08-13-2018 05:09 AM
Hi Paul,
Thank you for taking the time and posting. I was able to apply what you suggested, and it is working now.
Have a great week.
raman
08-10-2018 01:49 PM - edited 08-10-2018 02:03 PM
I just went through this yesterday on a new 3650 running IOS-XE 16.3.6. Using the same configuration, the switch was using the CON method list for login authentication, but using the VTY method list for authorization; i.e. sending exec and command authorizations to TACACS (ISE).
Ultimately I ended up with the following config to meet my requirements;
Config
line con 0
exec-timeout 15 0
logging synchronous
login authentication CON
line vty 0 15
exec-timeout 30 0
logging synchronous
transport input ssh ! aaa authentication login CON local aaa authentication login default group ISE-TACACS local aaa authorization console aaa authorization exec default local group ISE-TACACS if-authenticated
Results
08-13-2018 05:13 AM
Hello Derek,
Thanks for taking the time to reply and provide suggestion. I will try what you have suggested. I did try what Paul provided and it is working.
Thanks,
raman
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: