08-10-2018 01:24 PM - edited 03-08-2019 03:52 PM
Hello Techies,
i have configured my switch to authenticate to TACACS via ISE. If my switch is communicating with TACACS, should I be able to access the console if I have specifically created a name list that indicates the authentication should be pointed to the local database?
When I do shut down the interface pointing to the TACACS, then I am able to access the console via my local user account that I have created.
Be glad to provide additional information if needed.
Thanks,
raman
Here's my config:
aaa new-model
!
aaa authentication login CON local
aaa authentication login VTY group ise-pan local
!
aaa authorization console
aaa authorization config-commands
aaa authorization exec CON local
aaa authorization exec VTY group ise-pan if-authenticated
aaa authorization commands 15 default group ise-pan local none
!
aaa accounting exec default start-stop group ise-pan
aaa accounting commands 15 default start-stop group ise-pan
aaa accounting system default start-stop group ise-pan
!
line con 0
authorization exec CON
login authentication CON
!
line vty 5 15
authorization exec VTY
login authentication VTY
Solved! Go to Solution.
08-10-2018 01:35 PM - edited 08-10-2018 01:36 PM
Hello
Try adding:
conf t
aaa authorization commands 0 CON none
aaa authorization commands 1 CON none
aaa authorization commands 15 CON none
line con 0
authorization commands 0 CON
authorization commands 1 CON
authorization commands 15 CON
08-10-2018 01:35 PM - edited 08-10-2018 01:36 PM
Hello
Try adding:
conf t
aaa authorization commands 0 CON none
aaa authorization commands 1 CON none
aaa authorization commands 15 CON none
line con 0
authorization commands 0 CON
authorization commands 1 CON
authorization commands 15 CON
08-13-2018 05:09 AM
Hi Paul,
Thank you for taking the time and posting. I was able to apply what you suggested, and it is working now.
Have a great week.
raman
08-10-2018 01:49 PM - edited 08-10-2018 02:03 PM
I just went through this yesterday on a new 3650 running IOS-XE 16.3.6. Using the same configuration, the switch was using the CON method list for login authentication, but using the VTY method list for authorization; i.e. sending exec and command authorizations to TACACS (ISE).
Ultimately I ended up with the following config to meet my requirements;
Config
line con 0
exec-timeout 15 0
logging synchronous
login authentication CON
line vty 0 15
exec-timeout 30 0
logging synchronous
transport input ssh ! aaa authentication login CON local aaa authentication login default group ISE-TACACS local aaa authorization console aaa authorization exec default local group ISE-TACACS if-authenticated
Results
08-13-2018 05:13 AM
Hello Derek,
Thanks for taking the time to reply and provide suggestion. I will try what you have suggested. I did try what Paul provided and it is working.
Thanks,
raman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide