cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


190
Views
5
Helpful
4
Replies
Beginner

AAA Question - Console access if TACACS+ is up

Hello Techies,

i have configured my switch to authenticate to TACACS via ISE. If my switch is communicating with TACACS, should I be able to access the console if I have specifically created a name list that indicates the authentication should be pointed to the local database?

When I do shut down the interface pointing to the TACACS, then I am able to access the console via my local user account that I have created.

Be glad to provide additional information if needed.

 

Thanks,

raman

 

 

 

 

Here's my config:

aaa new-model
!
aaa authentication login CON local
aaa authentication login VTY group ise-pan local
!
aaa authorization console
aaa authorization config-commands
aaa authorization exec CON local
aaa authorization exec VTY group ise-pan if-authenticated
aaa authorization commands 15 default group ise-pan local none
!
aaa accounting exec default start-stop group ise-pan
aaa accounting commands 15 default start-stop group ise-pan
aaa accounting system default start-stop group ise-pan

!
line con 0
 authorization exec CON
 login authentication CON
!
line vty 5 15
 authorization exec VTY
 login authentication VTY

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: AAA Question - Console access if TACACS+ is up

Hello

Try adding:

conf t
aaa authorization commands 0 CON none
aaa authorization commands 1 CON none
aaa authorization commands 15 CON none


line con 0
authorization commands 0 CON
authorization commands 1 CON
authorization commands 15 CON



kind regards
Paul

Please don't forget to rate any posts that have been helpful.
4 REPLIES
VIP Advisor

Re: AAA Question - Console access if TACACS+ is up

Hello

Try adding:

conf t
aaa authorization commands 0 CON none
aaa authorization commands 1 CON none
aaa authorization commands 15 CON none


line con 0
authorization commands 0 CON
authorization commands 1 CON
authorization commands 15 CON



kind regards
Paul

Please don't forget to rate any posts that have been helpful.
Beginner

Re: AAA Question - Console access if TACACS+ is up

Hi Paul,

 

Thank you for taking the time and posting. I was able to apply what you suggested, and it is working now.

 

Have a great week.

raman

 

Highlighted
Beginner

Re: AAA Question - Console access if TACACS+ is up

I just went through this yesterday on a new 3650 running IOS-XE 16.3.6. Using the same configuration, the switch was using the CON method list for login authentication, but using the VTY method list for authorization; i.e. sending exec and command authorizations to TACACS (ISE).

Ultimately I ended up with the following config to meet my requirements;

Config

line con 0
 exec-timeout 15 0
 logging synchronous
 login authentication CON
line vty 0 15
 exec-timeout 30 0
 logging synchronous
 transport input ssh ! aaa authentication login CON local aaa authentication login default group ISE-TACACS local aaa authorization console aaa authorization exec default local group ISE-TACACS if-authenticated 

Results

  • Console connections use the CON method list to authenticate and the default method list to authorize against local switch user(s) privileges.
  • SSH connections use the default method list to authenticate and authorize against ISE/TACACS policies.
  • The default authorization method list includes local and the ISE-TACACS group; the users authorize to whichever credential/method they authenticated with.
Beginner

Re: AAA Question - Console access if TACACS+ is up

Hello Derek,

Thanks for taking the time to reply and provide suggestion. I will try what you have suggested. I did try what Paul provided and it is working.

 

Thanks,

raman

 

CreatePlease to create content
Content for Community-Ad
Ask the Expert- Introduction to Network Design