Solved: Hi,

mihaly.szuhanics · ‎05-10-2016

Dear All,

I am running into an issue with an old IOS and EEM script as I can't make it bypass the AAA.

So I have a script that should log into config mode and shut an interface if an event happens. Writing the script is not an issue.

But to make it run! We have tacacs+ and to make this work on the router I need a user that is authenticated. Or I have to log onto a router in a way that the tacacs+ is bypassed.

The config does not support the known feature of EEM 3.1 - event manager applet <ANY> bypass auth...

I made the script and the bypass, by setting up a the below stated:

!

aaa authentication login EEMScript local

aaa authentication enable default none

aaa authorization exec EEMScript none

aaa authorization commands 0 EEMScript none

aaa authorization commands 1 EEMScript none

aaa authorization commands 15 EEMScript none

!

username EEMScript privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX

!

line vty 0 2

exec-timeout 1 0

privilege level 15

authorization commands 0 EEMScript

authorization commands 1 EEMScript

authorization commands 15 EEMScript

authorization exec EEMScript

login authentication EEMScript

length 0

transport input nonne

transport output none

4

event manager session cli username EEMScript

However in this situation the issue is that if I log onto this router I'll be logged onto the vty 0 - which means I can't be authenticated by the TACACS as its not set on vty lines 0-2. Which means the router becomes unmanageable....

The solution however works! Cause if I am not logged on the script will use the vty 0 by default, which as you see has the "correct" setup not to use AAA - but I need a tiny modification.

Here comes the real question:

Can I force my EEM script to use a specific vty line? like Vty 20 that I'll never use?

Any Ideas or better solution would be appreciated!

HW is 1841 - c1841-advipservicesk9-mz.124-17.bin"

chris.baird · ‎05-19-2016

Once the attempts are rolled over to the TACACS server group, how can you set a timer on the method list to fail back to the local user database?

An issue I am seeing is that the ACS server hangs and is reachable by IP however, it doesn't respond with an accept or reject. So consequently, nobody is able to login to any devices.

Thanks!

View solution in original post

Seb Rupik · ‎05-10-2016

Hi there,

Why don't you configure your aaa authentication method to try local then TACACS:

!
aaa group server tacacs+ TACACS_SERVERS
 server <ip_1>
 server <ip_2>
!
aaa authentication login EEMScript local group TACACS_SERVERS
!

...that should do the trick.

cheers,

Seb.

mihaly.szuhanics · ‎05-10-2016

Hi,

just to be sure, the first attempt should allow me to log in with tacacs+. I am not familiar with this command.

Here the first attempt is the local, if it is set, will it allow me to login with either local or either TACACS+ for the first attempt?

Cheers

Seb Rupik · ‎05-10-2016

The modified method I am suggesting will check the local user database first. If the supplied username is not present ('EEMScript') then it will rollover to the TACACS server group.

cheers,

Seb.

chris.baird · ‎05-19-2016

Once the attempts are rolled over to the TACACS server group, how can you set a timer on the method list to fail back to the local user database?

An issue I am seeing is that the ACS server hangs and is reachable by IP however, it doesn't respond with an accept or reject. So consequently, nobody is able to login to any devices.

Thanks!

mihaly.szuhanics · ‎06-09-2016

I found the solution, I had to set a vty 0 transport input none, so the EEM script can use the 0 all the time, and I won't shut myself out as if I telnet into the router, the vty 0 will be skipped.

EEM to bypass AAA