Edit

AAA

Authentication

  • aaa authentication login default|Group_name group TACACS|RADIUS local enable: if group method is not available, it will fall back to next method such as local and then enable. However, it will not fall back to local if user does not exist in group

  • aaa authentication login default|Group_name local group TACACS|RADIUS enable: fallback is different in this case. If user is not available in local system, it will fall back to group method.

Authorization

To exec mode

  • For console line, need this hidden command to apply specified method: aaa authorization console. This is because default method applies to VTY and AUX only.

  • Command: aaa authorization exec default|group_name local if-authenticated

  • If user is not authenticated by the specified protocol used in authorization command, user will be denied access -> can use if-authenticated to allow access to user (>) mode

  • To be able to access privileged mode directly, user must be verified by a group TACACS or local method.

  • Example:

aaa authentication login VTY group TACACS enable
aaa authorization exec EXEC-AUTH group TACACS local (#authorization doesn't have enable)

  • with above configuration, if TACACS Server is unavailable, user will not be able to access user mode (>) because they can only logon with enable password, but local account is required to access exec mode

  • solution is using:

    • aaa authorization exec EXEC-AUTH group TACACS local if-authenticated

    • or simply: aaa authorization exec EXEC-AUTH group TACACS if-authenticated

To privilege exec mode

  • aaa authentication enable default: there's only default method

  • If privilege mode returned by tacacs server or local account is configured with privilege mode, user will be put into that level automatically so this command will actually kick in only when user access user mode (>) by if-authenticated method, then they use enable to access privilege mode

Troubleshooting Log

Logging in VTY using local account with privilege 15, but put into user (>) mode

  • Current configuration:

    • aaa authorization exec EXEC-AUTH group TACACS_GROUP if-authenticated

  • Solution: ensure local is fallback method after group. Without this user will not authorized using local, but just pass through with if-authenticated so privileged level of local user is not recognized

    • aaa authorization exec EXEC-AUTH group TACACS_GROUP local if-authenticated

Accessing Console line with TACACS credential, but user is put into user (>) mode

  • Current command:

  • Solution: add these 2 commands

  • This also applied to logging in Console line using local credential

  • If commands in solution are missed, user will access user (>) mode, they can access enable mode using enable command, but remember to use the password of the authenticated user which mean password of user from TACACS_GROUP or local, depending which one was authenticated, not enable password or secret

Authentication when having TACACS configured, but unreachable

When everything is correct

Authorization Log when server is configured in the group, but unreachable, and logged on with local user

Authorization log when no server is configured in the group, logged on with local user

*Nov 22 04:00:24.358: AAA/AUTHOR: auth_need : user= 'cisco' ruser= 'LabSwitch'rem_addr= '10.10.10.132' priv= 15 list= 'COMMANDS-15-AUTH' AUTHOR-TYPE= 'commands' *Nov 22 04:00:24.358: AAA: parse name=tty2 idb type=-1 tty=-1 *Nov 22 04:00:24.358: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 *Nov 22 04:00:24.359: AAA/MEMORY: create_user (0xFF95712678) user='cisco' ruser='LabSwitch' ds0=0 port='tty2' rem_addr='10.10.10.132' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) *Nov 22 04:00:24.359: tty2 AAA/AUTHOR/CMD (3066362006): Port='tty2' list='COMMANDS-15-AUTH' service=CMD *Nov 22 04:00:24.359: AAA/AUTHOR/CMD: tty2 (3066362006) user='cisco' *Nov 22 04:00:24.359: tty2 AAA/AUTHOR/CMD (3066362006): send AV service=shell *Nov 22 04:00:24.359: tty2 AAA/AUTHOR/CMD (3066362006): send AV cmd=do-exec *Nov 22 04:00:24.360: tty2 AAA/AUTHOR/CMD (3066362006): send AV cmd-arg=sh *Nov 22 04:00:24.360: tty2 AAA/AUTHOR/CMD (3066362006): send AV cmd-arg=run *Nov 22 04:00:24.360: tty2 AAA/AUTHOR/CMD (3066362006): send AV cmd-arg=| *Nov 22 04:00:24.360: tty2 AAA/AUTHOR/CMD (3066362006): send AV cmd-arg=sec *Nov 22 04:00:24.360: tty2 AAA/AUTHOR/CMD (3066362006): send AV cmd-arg=aaa *Nov 22 04:00:24.360: tty2 AAA/AUTHOR/CMD (3066362006): send AV cmd-arg= *Nov 22 04:00:24.360: tty2 AAA/AUTHOR/CMD(3066362006): found list "COMMANDS-15-AUTH" *Nov 22 04:00:24.361: tty2 AAA/AUTHOR/CMD (3066362006): Method=BANKWEST (tacacs+) *Nov 22 04:00:24.361: AAA/AUTHOR/TAC+: (3066362006): user=cisco *Nov 22 04:00:24.361: AAA/AUTHOR/TAC+: (3066362006): send AV service=shell *Nov 22 04:00:24.361: AAA/AUTHOR/TAC+: (3066362006): send AV cmd=do-exec *Nov 22 04:00:24.361: AAA/AUTHOR/TAC+: (3066362006): send AV cmd-arg=sh *Nov 22 04:00:24.361: AAA/AUTHOR/TAC+: (3066362006): send AV cmd-arg=run *Nov 22 04:00:24.361: AAA/AUTHOR/TAC+: (3066362006): send AV cmd-arg=| *Nov 22 04:00:24.362: AAA/AUTHOR/TAC+: (3066362006): send AV cmd-arg=sec *Nov 22 04:00:24.362: AAA/AUTHOR/TAC+: (3066362006): send AV cmd-arg=aaa *Nov 22 04:00:24.362: AAA/AUTHOR/TAC+: (3066362006): send AV cmd-arg= *Nov 22 04:00:24.362: AAA/AUTHOR (3066362006): Post authorization status = ERROR *Nov 22 04:00:24.362: tty2 AAA/AUTHOR/CMD (3066362006): Method=IF_AUTHEN *Nov 22 04:00:24.362: AAA/AUTHOR (3066362006): Post authorization status = PASS_ADD *Nov 22 04:00:24.362: AAA/MEMORY: free_user (0xFF95712678) user='cisco' ruser='LabSwitch' port='tty2' rem_addr='10.10.10.132' authen_type=ASCII service=NONE priv=15 vrf= (id=0) *Nov 22 04:00:24.372: AAA/AUTHOR: auth_need : user= 'cisco' ruser= 'LabSwitch'rem_addr= '10.10.10.132' priv= 15 list= 'COMMANDS-15-AUTH' AUTHOR-TYPE= 'commands' *Nov 22 04:00:24.372: AAA: parse name=tty2 idb type=-1 tty=-1 *Nov 22 04:00:24.372: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 *Nov 22 04:00:24.372: AAA/MEMORY: create_user (0xFF95712678) user='cisco' ruser='LabSwitch' ds0=0 port='tty2' rem_addr='10.10.10.132' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0) *Nov 22 04:00:24.373: tty2 AAA/AUTHOR/CMD (3475785714): Port='tty2' list='COMMANDS-15-AUTH' service=CMD *Nov 22 04:00:24.373: AAA/AUTHOR/CMD: tty2 (3475785714) user='cisco' *Nov 22 04:00:24.373: tty2 AAA/AUTHOR/CMD (3475785714): send AV service=shell *Nov 22 04:00:24.373: tty2 AAA/AUTHOR/CMD (3475785714): send AV cmd=show *Nov 22 04:00:24.373: tty2 AAA/AUTHOR/CMD (3475785714): send AV cmd-arg=running-config *Nov 22 04:00:24.373: tty2 AAA/AUTHOR/CMD (3475785714): send AV cmd-arg= *Nov 22 04:00:24.373: tty2 AAA/AUTHOR/CMD(3475785714): found list "COMMANDS-15-AUTH" *Nov 22 04:00:24.374: tty2 AAA/AUTHOR/CMD (3475785714): Method=BANKWEST (tacacs+) *Nov 22 04:00:24.374: AAA/AUTHOR/TAC+: (3475785714): user=cisco *Nov 22 04:00:24.374: AAA/AUTHOR/TAC+: (3475785714): send AV service=shell *Nov 22 04:00:24.374: AAA/AUTHOR/TAC+: (3475785714): send AV cmd=show *Nov 22 04:00:24.374: AAA/AUTHOR/TAC+: (3475785714): send AV cmd-arg=running-config *Nov 22 04:00:24.374: AAA/AUTHOR/TAC+: (3475785714): send AV cmd-arg= *Nov 22 04:00:24.375: AAA/AUTHOR (3475785714): Post authorization status = ERROR *Nov 22 04:00:24.375: tty2 AAA/AUTHOR/CMD (3475785714): Method=IF_AUTHEN *Nov 22 04:00:24.375: AAA/AUTHOR (3475785714): Post authorization status = PASS_ADD *Nov 22 04:00:24.375: AAA/MEMORY: free_user (0xFF95712678) user='cisco' ruser='LabSwitch' port='tty2' rem_addr='10.10.10.132' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

PreviousCisco IOS-XENextIOSXE Upgrade

Last updated