cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
928
Views
0
Helpful
5
Replies

local admin able to connect even with tacacs configured

NicolasDemonty
Level 1
Level 1

Hi,

On old nx-os like 7.0(8)N1(1) local admin users were not able to login to the device when tacacs+ is working. This behavior seems to have changed on newer version like 9.3.10 and 10.2.4 for examples. Indeed, with same configuration than older version, the local users are able to login to the device even if tacacs+ is working and tacacs servers reachable.

I tested two cases :

with : aaa authorization commands default group ACS_SERVER local and in this case the local admin can run all commands

with : aaa authorization commands default group ACS_SERVER and in this case the local admin can't run anything BUT if the tacacs servers fails then local admin can't do anything.

 

Any idea whether this is a bug or this behavior has changed ?

 

thanks



5 Replies 5

Are you sure NSK connect to tacacs ? If not then it normal behavior.

aaa authorization commands default group ACS_SERVER if-auth

If-auth if add then you will have same behave as local 

 

 

Hi

yes I'm sure. Tested.

edit : by the way, if-auth doesn't exist on NX-OS versions used here

kr

nehakakar
Level 1
Level 1

aaa authorization commands default group ACS_SERVER local In this case, the local admin users are authorized to run all commands.

Hi
I might have not been clear enough in the description. As mentioned the "local" keyword allow me to run all command for local user. My issue is that the local user can authenticate on the device when tacacs is working. When tacacs is well working the local user should not be able to login. Local user should be able to login when tacacs is dead. This was the behavior on old nx-os. Now this seems to have changed and I'm wondering if this is a bug or normal behavior.

 

Ok for confirm' we talking about authc not authz ?

If yes' 

Then auth use tacacs when it failover to use local? When tacacs send access reject' so add same local usename but different password in tacacs server.

This make tacacs reject connect and sw not failover to use local username and password.

Note:- always keep one username local different than tacacs user as backup if you face any issue with server. 

Review Cisco Networking for a $25 gift card