You can use workaround: we can use default tacacs+ auth with auth with SSH RSA (username must exist in tacacs for authz if you use it)
We can configure aaa auth/authz default with tacacs and also configure rsa auth for users. In this scenarious IOS doesn't send auth to tacacs if pubkey exists in configuration (authentcate by RSA pubkey locally), but authz does (with username from configuration). It's working fine
But other side of this - you can login to device with any username if you configure your pubkey for this user...
Example: we have two users (user1 and user2). I'm user1 and i don't know credential for user2.
we have this config:
aaa authentication login default group tacacs local
aaa authorization config-commands
aaa authorization exec default group tacacs local if-authenticated
aaa authorization commands 15 default group tacacs local if-authenticated
ip ssh pubkey-chain
username user1
key-hash ssh-rsa ****
I can authenticate by ssh rsa key without problem (auth by key process locally, authorization goes throught ACS. ACS knows about user1 - it will be OK). After that i can make this:
ip ssh pubkey-chain
username user2
key-hash ssh-rsa ****
And after that i can login to device by key with username user2 :)
So we need to configure ACS prohibit to use ssh pubkey-chain command for normal users.
P.S.: Don't know it's bug or not when we can use RSA pubkey auth with default tacacs authentication...
