Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1220
Views
5
Helpful
9
Replies

console to a device using an account from TACACS server, if i shutdown uplink, will the device kick me out?

Go to solution
spencerlin1991
Level 1
Level 1

‎04-19-2017 11:36 AM - edited ‎03-08-2019 10:15 AM

Hello everyone, please help me.

if i console into a switch using a TACACS account, then i shutdown the uplink, the switch can not talk to TACACS server, will i still be able to perform any activity? or the switch will kick me out?

thanks 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to spencerlin1991

‎04-20-2017 10:26 AM

Thanks for posting the aaa configuration of the switch. Here are my comments.

aaa authentication login default group TACACS

This is the command that controls most authentication when accessing the switch. It uses TACACS and has no alternate method. Once authenticated and logged in your session would continue whether or not TACACS remains reachable.

aaa authentication login console group TACACS

This command appears to control authentication for the console (it also requires a command on the console to specify this method of authentication for it to take effect). Similar to my previous comment once you are authenticated and logged in your session would continue whether or not TACACS remains reachable.

aaa authorization config-commands default group TACACS local

This command specifies authorization for remote access of config commands using TACACS with a backup method of local. This does depend on having locally configured user ID and password. I believe that local for authorization would be effective if you used local for authentication but am not confident that it would provide failover if you authenticated using TACACS and then lost communication with TACACS. I would suggest a different parameter

aaa authorization config-commands default group TACACS  if-authenticated

I have used this form of the command and know that it does allow you to continue activities when communication with TACACS is lost.

An important aspect of this command is that by default Cisco does not enforce authorization on the console session. Since the original post did explicitly specify that access to the switch was using console these authorization commands would not impact the console, unless the configuration of the console line did explicitly include authorization.

aaa authorization commands default group TACACS local

My comments about this command would be similar to my comments about the previous authorization command.

HTH

Rick

HTH

Rick

View solution in original post

9 Replies 9

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎04-19-2017 12:21 PM

If your tacacas is setup right it should revert back to a local account when your in over console

Check the AAA on the switch should have something like

aaa authentication login default group xtacacs local enable

also there should be username password setup for local access on the switch

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Mark Malone

‎04-19-2017 01:14 PM

While Mark is correct in suggesting that a good config should always have a primary authentication method (like TACACS) and should have a backup authentication method (like local) I do not believe that this addresses the original question. If I understand the original post correctly the question was that once the user is authenticated and then the link to TACACS is down will the switch kick him off the system. And I believe that the correct answer to this question is that once you are authenticated you are on the switch and that your current session is not impacted if the switch loses communication with TACACS.

I will also note that this answer addresses only the authentication aspect of aaa. The original poster should be aware that if aaa authorization for commands is also configured that losing communication with TACACS may not kick you off but it might make it impossible to execute any command.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
spencerlin1991
Level 1
Level 1
In response to Richard Burts

‎04-19-2017 01:23 PM

Thanks! this is what i am looking for.

AAA authorization is also configured.

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to spencerlin1991

‎04-19-2017 02:01 PM

Hi
Below is a switch config I used recently. I tested it by logging into the switch  via tacacs and then disconnecting the uplink.

aaa authentication login default group tacacs local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs local if-authenticated
aaa authorization commands 15 default group tacacs local if-authenticated
aaa accounting exec default start-stop group tacacs
aaa accounting commands 15 default start-stop group tacacs
aaa accounting network default start-stop group tacacs

As the authorization commands include the if-authenticated keyword, the previously authernticated tacacs user could still execute commands on the switch when tacacs server was unavailable.

hth
Andy

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to andrewswanson

‎04-20-2017 08:50 AM

The original post asked a pretty broad question about whether losing communication with TACACS after logging into a switch would prevent you from doing any activity or would kick you out. The answer to that broad question would be perhaps it would prevent you from doing any activity but perhaps it would not, depending on some details of how AAA is configured. And to really be able to give the kind of answer desired would require knowing more detail of how AAA is configured. For authentication and for authorization there are options which can be configured that would allow you to continue to do activity after losing communication with TACACS. But without those options it is possible that you would be prevented from doing any activity.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
spencerlin1991
Level 1
Level 1
In response to Richard Burts

‎04-20-2017 09:04 AM

hello.

this is the current aaa configuration for the switch i am talking about, please advise, thanks.

aaa authentication login default group TACACS
aaa authentication login console group TACACS
aaa authorization config-commands default group TACACS local
aaa authorization commands default group TACACS local
aaa accounting default group TACACS

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to spencerlin1991

‎04-20-2017 10:26 AM

Thanks for posting the aaa configuration of the switch. Here are my comments.

aaa authentication login default group TACACS

This is the command that controls most authentication when accessing the switch. It uses TACACS and has no alternate method. Once authenticated and logged in your session would continue whether or not TACACS remains reachable.

aaa authentication login console group TACACS

This command appears to control authentication for the console (it also requires a command on the console to specify this method of authentication for it to take effect). Similar to my previous comment once you are authenticated and logged in your session would continue whether or not TACACS remains reachable.

aaa authorization config-commands default group TACACS local

This command specifies authorization for remote access of config commands using TACACS with a backup method of local. This does depend on having locally configured user ID and password. I believe that local for authorization would be effective if you used local for authentication but am not confident that it would provide failover if you authenticated using TACACS and then lost communication with TACACS. I would suggest a different parameter

aaa authorization config-commands default group TACACS  if-authenticated

I have used this form of the command and know that it does allow you to continue activities when communication with TACACS is lost.

An important aspect of this command is that by default Cisco does not enforce authorization on the console session. Since the original post did explicitly specify that access to the switch was using console these authorization commands would not impact the console, unless the configuration of the console line did explicitly include authorization.

aaa authorization commands default group TACACS local

My comments about this command would be similar to my comments about the previous authorization command.

HTH

Rick

HTH

Rick

Go to solution
spencerlin1991
Level 1
Level 1
In response to andrewswanson

‎04-20-2017 09:02 AM

hello.

this is the current aaa configuration for the switch i am talking about, please advise, thanks

aaa authentication login default group TACACS
aaa authentication login console group TACACS
aaa authorization config-commands default group TACACS local
aaa authorization commands default group TACACS local

0 Helpful

Go to solution
spencerlin1991
Level 1
Level 1
In response to Mark Malone

‎04-19-2017 01:22 PM

thanks for your reply.

but this is not for what i am asking.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card