07-17-2020 11:03 AM
Hello,
I am having issues with I put in my aaa. I get % error in authentication
aaa group server tacacs+ default
aaa authentication attempts login 5
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+
aaa authentication dot1x default group radius group CPPM
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
If I tweak it, I can get either local auth to work or tacacs to work but never together... What am I missing?
Thank you!
07-17-2020 01:24 PM
Local authentication only work when the TACACS fails as per the configuration.
you want to test, change the key in TACACS Server, then you can see local authentication working.
It falls over config ? not both work at a time.
07-17-2020 02:51 PM
Thank you for the response.
When I have my aaa config on the switch and lose connectivity, local auth does not work. That is how I get the error. My config works great when I have connectivity with aaa. I lost my master in my stack and tried to auth locally to change the master and ended up doing ignoring the boot config to bypass auth and then restoring the config.
Thank you!
07-17-2020 07:58 PM
just to clarify here are we looking for device administration using TACACS, if that fails use local authentication right?
here is the working config ;
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
!
!
tacacs-server host X.X.X.X
tacacs-server key xxx
07-17-2020 11:48 PM
Hello,
in addition to Balaji's remarks, what switch model do you have, and what IOS version are you running ? Always worth checking for bugs...
Also, post the full running config. I assume you have a local user configured ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide