05-26-2015 02:07 AM
Hello to everyone.
I configured AAA on a ASR9K with a TACACS server. Here is my configuration:
tacacs source-interface Loopback0 vrf default
tacacs-server host 172.20.48.18 port 49
key 7 11584857454158
aaa accounting commands default start-stop group tacacs+ group tcq-tacacs
aaa group server tacacs+ tcq-tacacs
server 172.20.48.18
aaa authorization commands default group tacacs+ group tcq-tacacs
aaa authentication login default local group tacacs+ group tcq-tacacs
-----------------------------------------------------------------------------------------------------------------------
I want the device has a local user, so i configured this way:
taskgroup tgrLocal
inherit taskgroup root-system
usergroup ugrLocal
taskgroup tgrLocal
username admin
group ugrLocal
password 7 141B1D080D08
When i want to login with the local user, I get this message
RP/0/RSP1/CPU0:A9K_PE_19Dey#conf t
Command authorization failed
% Incomplete command
------------------------------------------------------------------------------------------------------------------------
I could solve the problem with defining the user ("admin") on TACACS server. but I think there is another solution.
I want to know how can I have authorization locally and with TACACS simultaneously????
Thanks!
06-03-2015 10:29 AM
In your config you authenticate the user locally, which succeeds. but when the command is sent to the tacacs server for the command author, it includes the username that invoked this command.
the tacacs server therefore needs to have an entry for that username to know what commands this user is allowed to do.
the tacacs server wont need the users password, but it needs the cmd's associated with that useraccount.
while this is perfectly fine config wise, it is somewhat unusual I guess to authenticate locally and use tacacs for command author: you still need the user in the tacacs server and if the tacacs is not avaialble, the user can be authenticated but not do any config commands anyway.
also it removes the benefit that tacacs provide to have a centralized user manamagent, but hey whatever works for you :)
cheers!
xander
06-07-2015 01:10 AM
Thank you for the answer, your description is very clear!
I don't want authenticate the users locally and authorization using tacacs server; i wanna use the tacacs server always, as a centralized user management, but in the case that the server is unavailable, the control is lost? how do i configure the devices?
My question is if the tacacs server is failed for any reason, is there any solution for managing the devices as long as the tacacs server be restored???
06-07-2015 05:36 AM
ah, that is a "standard" approach that has a "standard config" :)
you'd want to do this:
tacacs-server host x.x.x.x <tac server definiton>
tacacs-server key blabla <tac server key if needed>
aaa authentication login default group tacacs local <<authenticate against tac, but if not avail use local
aaa authorization exec default group tacacs local <<authorize the service against tac, but not avail use local (goes hand in hand with authen of coruse)
(aaa authorization commands exec default group tacacs none) << authorize the commands against tacacs but if tac not avail allow that command, this is important that if we are on the local user because tac is unavail, then of course we want to allow the command since otherwise we can login but dont do any commands!!
username whatever << local user config
secret something
group root-system << with top permissions for fallback
cheers
xander
06-07-2015 01:52 PM
Many thanks! :)
Now, my approach and my configuration are both standard ;)
cheers to you!
09-02-2015 04:03 AM
Hi Sir
May I know what's the different between " aaa group server tacacs+ XX" and "tacacs-server host x.x.x.x " ?
If we have two TACACs servers, what should we config? Which one will be primariy server for authentication?
09-02-2015 04:08 AM
hi xing,
you always need to define your tacacs servers globally via the tacacs-server host config.
those servers are referenced in aaa auth statements as the group default.
if you have multiple servers and you want to use some for one purpose and some for another you can define different aaa server groups and pull in say server A and D for one group and server B and C for another group.
this in case say you want to use a different server set for telnet vs console authentication.
cheers
xander
09-02-2015 04:13 AM
Thanks for your suggestion.
If we want to define the primary Tacacs server how can we do that?
what's the different between the followings "
1.
aaa group server tacacs+ TARGET_Tacacs
server x.x.x.x1
server x.x.x.x2
2.
tacacs-server host x.x.x.x1
tacacs-server host x.x.x.x2
May I know which server will be the primary authentication server?
Thanks in advance!
09-02-2015 04:14 AM
PS: we just want to redundant the Tacas server with one purpos.
09-02-2015 04:21 AM
if your auth method leverages the group TARGET_Tacacs then X1 will be used first and if dead/non responsive, X2 will be tried.
this because of the order it is defined in the tacacs group.
cheers
xander
09-02-2015 04:23 AM
Many thanks!
cheers to you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide