Options

TACACS Question

Kenneth196Kenneth196 Member Posts: 37 ■■□□□□□□□□
in CCNA & CCENT
Hello all,


I was given an assignment to set up ssh on all of our routers & switches. They all currently have the TACACS config below:


ip tacacs source-interface Loopback0


tacacs-server host 10.1.5.4
tacacs-server host 10.2.98.254
aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+


The problem is... tacacs works all fine and dandy, but I'm having issues when trying to ssh with the local account I"ve created (Username Bob privilege 15 secret Bob, just for practice).


When I change the first aaa authentication line to "aaa authentication login default local group tacacs+", I can log in with either my tacacs login or the local login (Bob/Bob), however, when I try to go into enable mode with Bob, I'm unable to. "Command authorization failed."


What do I need to change in my aaa configuration to allow the local account to go into enable (and then global config) mode? I"m thinking its something to do with my aaa authentication enable line but just not sure.


Thanks for any help you can provide!
"Give a person a fish and you feed them for a day; teach that person to use the Internet and they won't bother you for weeks." - Unknown
· Share on FacebookShare on Twitter

Comments

  • Options
    cpartincpartin Member Posts: 84 ■■□□□□□□□□
    So you're authenticating fine but you're not getting authorization. Try:

    aaa authorization exec default group tacacs+ local if-authenticated
    · Share on FacebookShare on Twitter
  • Options
    Kenneth196Kenneth196 Member Posts: 37 ■■□□□□□□□□
    When I enter that aaa command, I am still able to login (and enable/global config) with my tacacs, but when I attempt to login with the local account, it states "Authorization Failed".

    This is the current aaa config as of now:

    aaa new-model
    !
    !
    aaa authentication login default local group tacacs+
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ local if-authenticated
    aaa authorization commands 0 default group tacacs+ none
    aaa authorization commands 1 default group tacacs+ none
    aaa authorization commands 15 default group tacacs+ none
    aaa accounting exec default stop-only group tacacs+
    aaa accounting commands 15 default stop-only group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+

    Edit: Nevermind, I'm good to go now. Still learning about Tacacs but I know I wont be able to authorize with local account unless tacacs is down
    "Give a person a fish and you feed them for a day; teach that person to use the Internet and they won't bother you for weeks." - Unknown
    · Share on FacebookShare on Twitter
  • Options
    RouteMyPacketRouteMyPacket Member Posts: 1,104
    Correct! Local is used as a fall back
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
    · Share on FacebookShare on Twitter
Sign In or Register to comment.