Re: Enabling local console access when TACACS is enabled

aniket0422 · ‎06-01-2016

Hi All,

I am configuring new switch. i have done basis line vty configuration as below.

#username cisco password cisco
#enable secret cisco
#service password-encryption
#line vty 0 4
#login local
#transport input all
#save

When i logged in next time switch asked me for username and password. I entered cisco cisco and i was able to logged into the switch.

Then i enabled TACACS and entered all the TACACS configuration as per customer requirement. I am able to log into the switch through telnet/ssh using TACACS username and password. But i lost my console access using local username and password i.e. cisco cisco.

I want my local username and password i have created i.e cisco cisco to work on telnet/ssh/console even whren TACACS is enable. How can i achieve this ?

Atleast when my TACACS login not working i should be able to console log into the switch using local username and password.

Reza Sharifi · ‎06-01-2016

Hi, As long as TACACS is enabled to authenticate first, you can't use the local username and password. If you want to make sure that the local username and password works in case TACACS fails, you would need to disable TACACS and test. HTH

aniket0422 · ‎06-02-2016

Hello Reza Sharifi,

If my TACACS fails i will not be able to log in to the switch then how can i disable TACACS ?

Reza Sharifi · ‎06-02-2016

Hi,

If for whatever reason the TACACS server fails, you should be able to connect to the devices via the local username and password if everything is configured correctly and that is the solution you want to test.

HTH

paul driver · ‎06-01-2016

Hello

You can negate various ways:

1) create a additional tacacs profile with non authentication

aaa authentication login Backdoor local
aaa authorization exec Backdoor local if-authenticated
aaa authorization commands 0 Backdoor none
aaa authorization commands 1 Backdoor none
aaa authorization commands 15 Backdoor none

line con 0
authorization commands 0 Backdoor
authorization commands 1 Backdoor
authorization commands 15 Backdoor
authorization exec Backdoor
login authentication Backdoor

2) Disable taccas from the console and apply the activation- character command with an ascii value - below I am using @ keyboard stroke to gain access

aaa authentication login AV none

line con 0
login authentication AV
activation- character 64

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

aniket0422 · ‎06-02-2016

Hi Paul,

Thanks for reply !!

1st point in your reply is valid if my TACACS login is working. Then i can log into the switch and do additional configuration you have mentioned so that when TACACS fails next time i can use non authenticated profile to log into the switch.

2nd point says disable TACACS from console. But if i have TACACS configured on my switch will i able to log into the switch through console to make changes ?

DamienTokyo · ‎07-28-2021

Hi, sorry to dig up this thread from 5 years ago but my question is similar with the OP. Now I can access with SSH remotely to my switch using TACACS+, and at the very beginning I had also console port access.

I would like to be able to connect with console port anytime even if tacacs+ is activated and working. Now on console port with local credentials I keep getting "authentication failed"

I have tried to modify my config from

aaa authentication login local-auth local
!
!
line con 0
login authentication local-auth
!

to

aaa authentication login console local
!
!
line con 0
login authentication console
!

without any change.

Then I have seen this thread suggesting 1 idea,

https://networkengineering.stackexchange.com/questions/52731/aaa-authentication-for-all-users-and-a-single-user-for-local-only

so I changed from

aaa authentication login default group tacacs+ local

to

aaa authentication login default local group tacacs+

but here as well no change.

Do you have any idea if it is possible to get both access to console port and tacacs at the same time ?

Thanks,

Regards,

Damien

reccon · ‎07-29-2021

aaa authentication login local-auth local
!
!
line con 0
login authentication local-auth
!

to

aaa authentication login console local
!
!
line con 0
login authentication console
!

without any change.

That's right, because "console" and "local-auth" ist only a name you configure here.

You don't chage any switch behavior by that.

We have it configured like that (radius server instead of tacacs+):

aaa authentication login default group radius-server local
aaa authorization exec default group radius-server local

aaa authentication login console local

line con 0
login authentication console

-> SSH login: radius server, if available. local if not

-> Console login: always local

Can you login with local credentials via ssh, if your switch loses connections to the tacacs+ server?

If not, you maybe have an issue with local authentication.

DamienTokyo · ‎08-02-2021

Hi, thanks for your reply.

Can you login with local credentials via ssh, if your switch loses connections to the tacacs+ server?

=> Yes no issue

I have tried to find a solution to have both access to console and tacacs+ at the same time if for some reason we lose ssh.

Because for now it was impossible to have simultaneous dual-access.

Previous config I had this:

username cisco password 7 cisco
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login local-auth local
!

But when checking others switches I found 2 differences:

username cisco privilege 15 secret cisco

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default enable
aaa authentication login local-auth local
!

Without confidence I have then tried to do dual login on both console and tacacs and miracle ! It worked directly ! I was able to have simultaneous connection on both connection, there did I find the solution ?

As a test I switched back to first config (withdrawing 2 lines et switch back to "password 7") and for a reason I kept having access to both console and tacacs+ at the same time... so I thought maybe a service was still running somewhere on the switch in the background ? I then reloaded the switch to confirm. Even after reloading I still keep simultaneous access so I don't know at all what happened.

Did I really change something ? I mean that before and after configuration are exactly the same, it was not working before and now I don't have problem.

I should then be happy that it works but I am bit concerned that I may loose console access because I don't know the reason behind that.

This is kind of mysterious to me...

paul driver · ‎08-02-2021

Hello

@DamienTokyo wrote:

username cisco privilege 15 secret cisco
aaa new-model
aaa authentication login default group tacacs+ local < applicable to vty lines ONLY
aaa authentication enable default enable < applicable to vty lines but due to local account having priv 15 access its not called upon so you could use
aaa authorization exec default group tacacs+ locaL if-authenticated


aaa authentication login local-auth local <--- Not applied to anything so isnt applcable
!

The reason you have console access by default AAA in this instance isnt applied to console lines so you could leave it as it is or apply AAA with a non default method list -"local-auth" as per your post but you will need to enable aaa for console.

Line console 0
login authentication local-auth
authorization exec local-auth

And for resilency and being able to access and use the device via the VTY lines as/when taccas is down suggest to apply the following.
aaa authorisation commands 15 default group tacacs+ local

So to summerise

AAA Default method list
username cisco privilege 15 secret cisco
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local

AAA console method list

taaa authentication login local-auth local
aaa authorization exec local-auth local if-authenticated
aaa authorization commands 15 local-auth local
aaa authorization console

line console 0
login authentication local-auth
authorization exec local-auth

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

DamienTokyo · ‎08-24-2021

Hi Paul,

Thank you very much for the explanation. I will check it further.

Best regards、
Damien

jennifer.johnson · ‎02-23-2022

I have a similar issue. We access all of our customer MDS switches via TACACs. Well we are turning the switches back over to the customer. I tried to disable TACACs but of course received errors because my account is authenticated via TACACs. I changed the admin password because no one knew it. Of course I couldn't login with admin because TACACs is enabled. How do I or the customer remove TACACs so they can login? Admin is a local user. Do they have to console in and remove it? Or are there some other steps I need to do to rectify this? Please advise and thanks in advance for any help.

BNedved · ‎07-07-2023

I am having a similar issue. i am trying to make the tech user able to login by ssh and console. But i keep getting an authentication error.

Richard Burts · ‎07-08-2023

I have shown us the aaa part of the configuration but not the configuration of console and vty. It might be helpful if we could see those parts.

You mention the tech user suggesting that this does not work. Is that correct? Do the other IDs specified in the config work? Are you sure that the tech user has an appropriate/correct entry in the Tacacs server?

If we can not find some explanation for the problem with tech ID then it might be helpful to see debug output from debug for authentication.

HTH

Rick

BNedved · ‎07-11-2023

The Tech user is only able to login when the authentication server is unavailable. i would prefer if it could login anytime.

ip access-list standard GEI_SNMP_ACL
permit 10.2.202.5 log
deny any log
ip sla enable reaction-alerts
logging history notifications
logging 192.168.17.248
access-list 10 permit 192.168.17.248
snmp-server group READview v3 priv read GEI notify GEI access SNMP_ACL
snmp-server group WRITEview v3 priv read GEI write GEI notify ACEP access SNMP_A CL
snmp-server view GEI iso included
snmp-server community RW 10
snmp-server community RO 10
snmp-server trap-source Vlan310
snmp-server location 1
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps tty
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps rep
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-gu est-vlan
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps power-ethernet group 1
snmp-server enable traps power-ethernet police
snmp-server enable traps fru-ctrl
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps energywise
snmp-server enable traps rtr
snmp-server enable traps vstack
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistenc y
snmp-server enable traps syslog
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server host 192.168.17.248 informs version 2c
snmp-server host 192.168.17.248 version 2c
tacacs-server host 192.168.17.247 key 7 122B551419122B053A
tacacs-server directed-request
!
line con 0
login authentication local-auth
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
ntp clock-period 36029466
ntp server 172.20.1.254
end