Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
0
Helpful
5
Replies

local admin able to connect even with tacacs configured

NicolasDemonty
Level 1
Level 1

‎07-25-2023 04:34 AM

Hi,

On old nx-os like 7.0(8)N1(1) local admin users were not able to login to the device when tacacs+ is working. This behavior seems to have changed on newer version like 9.3.10 and 10.2.4 for examples. Indeed, with same configuration than older version, the local users are able to login to the device even if tacacs+ is working and tacacs servers reachable.

I tested two cases :

with : aaa authorization commands default group ACS_SERVER local and in this case the local admin can run all commands

with : aaa authorization commands default group ACS_SERVER and in this case the local admin can't run anything BUT if the tacacs servers fails then local admin can't do anything.

 

Any idea whether this is a bug or this behavior has changed ?

 

thanks



Labels:
0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎07-25-2023 04:41 AM - edited ‎07-25-2023 04:46 AM

Are you sure NSK connect to tacacs ? If not then it normal behavior.

aaa authorization commands default group ACS_SERVER if-auth

If-auth if add then you will have same behave as local 

 

 

0 Helpful

NicolasDemonty
Level 1
Level 1
In response to MHM Cisco World

‎07-25-2023 04:43 AM - edited ‎07-25-2023 04:46 AM

Hi

yes I'm sure. Tested.

edit : by the way, if-auth doesn't exist on NX-OS versions used here

kr

0 Helpful

nehakakar
Level 1
Level 1

‎07-25-2023 04:48 AM

aaa authorization commands default group ACS_SERVER local In this case, the local admin users are authorized to run all commands.

0 Helpful

NicolasDemonty
Level 1
Level 1
In response to nehakakar

‎07-25-2023 04:52 AM

Hi
I might have not been clear enough in the description. As mentioned the "local" keyword allow me to run all command for local user. My issue is that the local user can authenticate on the device when tacacs is working. When tacacs is well working the local user should not be able to login. Local user should be able to login when tacacs is dead. This was the behavior on old nx-os. Now this seems to have changed and I'm wondering if this is a bug or normal behavior.

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to NicolasDemonty

‎07-25-2023 05:17 AM - edited ‎07-25-2023 06:24 AM

Ok for confirm' we talking about authc not authz ?

If yes' 

Then auth use tacacs when it failover to use local? When tacacs send access reject' so add same local usename but different password in tacacs server.

This make tacacs reject connect and sw not failover to use local username and password.

Note:- always keep one username local different than tacacs user as backup if you face any issue with server. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card