12-11-2018 02:00 AM - edited 03-08-2019 04:47 PM
Hello all,
we have a number of 2960S switches, connected in pairs, forming different stacks. We have enabled AAA. When using the console, we want to login using the local database. What we noticed is that when we connect through the console of the master switch we are able to login to the switch. When we try to connect through the console of the standby switch, authorization fails.
Bellow is the configuration
aaa authentication login AUTHISE group TACACS-ISE local
aaa authentication login CON local
aaa authorization console
aaa authorization config-commands
aaa authorization exec AUTHISE group TACACS-ISE if-authenticated
aaa authorization exec CON none
aaa authorization commands 1 AUTHISE group TACACS-ISE local if-authenticated
aaa authorization commands 5 AUTHISE group TACACS-ISE local if-authenticated
aaa authorization commands 15 AUTHISE group TACACS-ISE local if-authenticated
aaa accounting exec AUTHISE start-stop group TACACS-ISE
aaa accounting commands 5 AUTHISE start-stop group TACACS-ISE
aaa accounting commands 15 AUTHISE start-stop group TACACS-ISE
line con 0
authorization exec CON
logging synchronous
login authentication CON
The workaround we have found is using the AAA server as the first option and if that fails, to revert to the local database.
aaa authentication login CON group TACACS-ISE local
In this case we connect to the standby console port, via authentication through the ISE server. If the ISE server is unavailable, we authenticate via the local database.
So, what is the issue that prevents us from connecting through the standby console when only using the local database?
Could anyone please help solve this issue?
Thanks in advance,
Katerina
12-11-2018 02:28 AM
- Did you try standby console enable ; on the master , albeit from command or in IOS configuration ?
M.
12-11-2018 05:42 AM
Hello Marce,
I found the command on another post, but it does not seem to be supported.
I am running IOS Version 12.2(55r)SE.
Thanks!
12-11-2018 06:27 AM
Katerina
In your original post you indicate that the problem is that authorization fails. But apparently your work around is a change in authentication. Can you clarify whether the issue was really with authorization or with authentication?
When there are problems with authorization with a fall back method I have found it helpful to include the if-authorized parameter in the aaa authorization command.
HTH
Rick
12-11-2018 06:55 AM
12-12-2018 12:20 AM
Hi!
I checked the behavior again. When I connect to the console of the second switch and use local database credentials to login, the message I get is "Authorization Failed". When I try to authenticate using the ISE credentials (AAA authentication), I get the message "Authentication Failed".
Thanks!
12-12-2018 07:15 AM
Katerina
It is interesting that the error does indicate the problem is with authorization. It occurs to me that there is a different approach to this issue that might be better. By default Cisco does not do authorization on the console. You must explicitly enable authorization on the console. The config info that you posted does show that you explicitly enable authorization on the console, and then are attempting to say that authorization for the console is none. My suggestion is to simply remove the command that enables authorization on the console.
HTH
Rick
12-13-2018 03:24 AM
No change...
The interesting thing is that the problem occurs only when the console is connected to the second member of the stack. The master functions as expected. That is why I am starting to believe that there is something wrong with the way the stack is implemented by Cisco...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide