Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
10
Helpful
3
Replies

Local authentication config

Go to solution
Bab L
Level 1
Level 1

‎10-04-2015 07:45 PM - edited ‎03-08-2019 02:03 AM

Hi.

We currently configure our switches as below:

 

aaa authentication login SW-ACS group tacacs+ local
aaa authorization console
aaa authorization exec EXEC-ACS group tacacs+ local
aaa authorization commands 1 CLI-ACS group tacacs+ local
aaa accounting exec EXEC-ACC start-stop group tacacs+
aaa accounting commands 1 CLI-ACC stop-only group tacacs+

--------------------------------------------------------------------

line con 0
 authorization exec EXEC-ACS
 logging synchronous
 login authentication SW-ACS
line vty 0 4
 access-class vty-in in
 authorization commands 1 CLI-ACS
 authorization exec EXEC-ACS
 accounting commands 1 CLI-ACC
 accounting exec EXEC-ACC
 logging synchronous
 login authentication SW-ACS
 length 0
 transport input ssh
line vty 5 15
 access-class vty-in in
 authorization commands 1 CLI-ACS
 authorization exec EXEC-ACS
 accounting commands 1 CLI-ACC
 accounting exec EXEC-ACC
 logging synchronous
 login authentication SW-ACS
 transport input ssh

 


ip access-list standard vty-in
 permit 10.0.0.0 0.255.255.255

 

---------------------------------------------------------------

 

We would like to add a local username and password that has exec  privileges, and it works with or without tacacs connection. We would like that username and password to get into config mode without having to add an additional enable password. 

We have tried the username *****  privilege 15 secret/password ******    but it doesn't work.

 

Any ideas?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎10-05-2015 01:10 AM

Hi you could try adding enable to the end of your authentication line , the issue is as aaa is enabled it well try get authentication off the group first then if not available it will use the local username password, im not sure if you can have it that it bypasses aaa first and only uses the username, you have applied aaa which is higher security so I think it will always try that first once set

aaa authentication login SW-ACS group tacacs+ local enable

View solution in original post

3 Replies 3

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎10-05-2015 01:10 AM

Hi you could try adding enable to the end of your authentication line , the issue is as aaa is enabled it well try get authentication off the group first then if not available it will use the local username password, im not sure if you can have it that it bypasses aaa first and only uses the username, you have applied aaa which is higher security so I think it will always try that first once set

aaa authentication login SW-ACS group tacacs+ local enable

Go to solution
Bab L
Level 1
Level 1
In response to Mark Malone

‎10-05-2015 03:23 PM

Thanks Mark.

I thought that is the case, that there isn't a way for a local username to by pass tacacacs. 

I'll keep this open for a while just in case someone has done any funky things .

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Bab L

‎10-06-2015 12:19 AM

Ye you never know someone may have gotten around this, thats just from my own experience using aaa

Customers Also Viewed These Support Documents