ASR9K/XR Local & TACACS

r-karamad · ‎05-26-2015

Hello to everyone.

I configured AAA on a ASR9K with a TACACS server. Here is my configuration:

tacacs source-interface Loopback0 vrf default
tacacs-server host 172.20.48.18 port 49
key 7 11584857454158

aaa accounting commands default start-stop group tacacs+ group tcq-tacacs

aaa group server tacacs+ tcq-tacacs
server 172.20.48.18

aaa authorization commands default group tacacs+ group tcq-tacacs
aaa authentication login default local group tacacs+ group tcq-tacacs

-----------------------------------------------------------------------------------------------------------------------

I want the device has a local user, so i configured this way:

taskgroup tgrLocal
inherit taskgroup root-system

usergroup ugrLocal
taskgroup tgrLocal

username admin
group ugrLocal
password 7 141B1D080D08

When i want to login with the local user, I get this message

RP/0/RSP1/CPU0:A9K_PE_19Dey#conf t
Command authorization failed
% Incomplete command

------------------------------------------------------------------------------------------------------------------------

I could solve the problem with defining the user ("admin") on TACACS server. but I think there is another solution.

I want to know how can I have authorization locally and with TACACS simultaneously????

Thanks!

xthuijs · ‎06-03-2015

In your config you authenticate the user locally, which succeeds. but when the command is sent to the tacacs server for the command author, it includes the username that invoked this command.

the tacacs server therefore needs to have an entry for that username to know what commands this user is allowed to do.

the tacacs server wont need the users password, but it needs the cmd's associated with that useraccount.

while this is perfectly fine config wise, it is somewhat unusual I guess to authenticate locally and use tacacs for command author: you still need the user in the tacacs server and if the tacacs is not avaialble, the user can be authenticated but not do any config commands anyway.

also it removes the benefit that tacacs provide to have a centralized user manamagent, but hey whatever works for you :)

cheers!

xander

r-karamad · ‎06-07-2015

Thank you for the answer, your description is very clear!
I don't want authenticate the users locally and authorization using tacacs server; i wanna use the tacacs server always, as a centralized user management, but in the case that the server is unavailable, the control is lost? how do i configure the devices?
My question is if the tacacs server is failed for any reason, is there any solution for managing the devices as long as the tacacs server be restored???

xthuijs · ‎06-07-2015

ah, that is a "standard" approach that has a "standard config" :)

you'd want to do this:

tacacs-server host x.x.x.x <tac server definiton>

tacacs-server key blabla <tac server key if needed>

aaa authentication login default group tacacs local <<authenticate against tac, but if not avail use local

aaa authorization exec default group tacacs local <<authorize the service against tac, but not avail use local (goes hand in hand with authen of coruse)

(aaa authorization commands exec default group tacacs none) << authorize the commands against tacacs but if tac not avail allow that command, this is important that if we are on the local user because tac is unavail, then of course we want to allow the command since otherwise we can login but dont do any commands!!

username whatever << local user config

secret something

group root-system << with top permissions for fallback

cheers

xander

r-karamad · ‎06-07-2015

Many thanks! :)

Now, my approach and my configuration are both standard ;)

cheers to you!

Xing Cheng Hou · ‎09-02-2015

Hi Sir

May I know what's the different between " aaa group server tacacs+ XX" and "tacacs-server host x.x.x.x " ?

If we have two TACACs servers, what should we config? Which one will be primariy server for authentication?

xthuijs · ‎09-02-2015

hi xing,

you always need to define your tacacs servers globally via the tacacs-server host config.

those servers are referenced in aaa auth statements as the group default.

if you have multiple servers and you want to use some for one purpose and some for another you can define different aaa server groups and pull in say server A and D for one group and server B and C for another group.

this in case say you want to use a different server set for telnet vs console authentication.

cheers

xander

Xing Cheng Hou · ‎09-02-2015

Thanks for your suggestion.

If we want to define the primary Tacacs server how can we do that?

what's the different between the followings "

1.

aaa group server tacacs+ TARGET_Tacacs
server x.x.x.x1
server x.x.x.x2

2.

tacacs-server host x.x.x.x1
tacacs-server host x.x.x.x2

May I know which server will be the primary authentication server?

Thanks in advance!

Xing Cheng Hou · ‎09-02-2015

PS: we just want to redundant the Tacas server with one purpos.

xthuijs · ‎09-02-2015

if your auth method leverages the group TARGET_Tacacs then X1 will be used first and if dead/non responsive, X2 will be tried.

this because of the order it is defined in the tacacs group.

cheers

xander

Xing Cheng Hou · ‎09-02-2015

Many thanks!

cheers to you!