dcawood
asked on
TACACS AAA allow only tacacs authenticatication when there is connectivity to tacacs
Is there a command that will force users to use tacacs when there is connectivity to tacacs? We still want to use the local user/pass when there is no connectivity but do not want users to login in with that local account when tacacs is available.
ASKER
I should have posted this before.. We do have that syntax; however, people can still login using a local login. We want to stop that from happening unless the device loses connectivity to the ACS server.
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication ppp default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
!
aaa session-id common
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication ppp default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
!
aaa session-id common
Hi dcawood,
I just ran a quick check through the Cisco curriculum for AAA Authentication, this is the configuration they have listed in their lab example:
--------------------
R1# show run
hostname R1
!
aaa new-model
!
aaa authentication login default group tacacs+ none
aaa authentication login telnet_lines group tacacs+
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
!
tacacs-server host 192.168.10.50 key ciscosecret
!
line vty 0 4
login authentication telnet_lines
end
Copyright © 2007, Cisco Systems, Inc
-------------------------- ----
Have you specified the Tacacs server?
tacacs-server host 192.168.10.50 key ciscosecret
I just ran a quick check through the Cisco curriculum for AAA Authentication, this is the configuration they have listed in their lab example:
--------------------
R1# show run
hostname R1
!
aaa new-model
!
aaa authentication login default group tacacs+ none
aaa authentication login telnet_lines group tacacs+
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
!
tacacs-server host 192.168.10.50 key ciscosecret
!
line vty 0 4
login authentication telnet_lines
end
Copyright © 2007, Cisco Systems, Inc
--------------------------
Have you specified the Tacacs server?
tacacs-server host 192.168.10.50 key ciscosecret
ASKER
Yes I just didn't add the server. I can login via tacacs and local. By adding none to the end will I or likely someon far away be able to login with a local account?
If you add none instead of local it will require the Tacacs authentication and will not allow logging in with local credentials.
Oh, sorry, no the opposite is true, it lets anyone in without authenticating.
"Because the none keyword enables any user logging in to successfully authenticate, it should be used only as a backup method of authentication."
"Because the none keyword enables any user logging in to successfully authenticate, it should be used only as a backup method of authentication."
ASKER
Yep that's what I read on cisco. I'm looking to keep folks off the local till it's neccesary. This way they are foced to use their tacacs credentials.
We have:
aaa group server tacacs+ TACSRV
server 172.16.111.14
!
aaa authentication password-prompt LCLPassword:
aaa authentication username-prompt LCLUsername:
aaa authentication login TACSRV group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec TACSRV group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 15 default start-stop group TACSRV
line con 0
login authentication TACSRV
line vty 0 4
login authentication TACSRV
line vty 5 15
login authentication TACSRV
If the switch as connectivity to the tacacs+ server you get the normal Username and Password prompts and you can NOT use a local id.
If the switch as NO connectivity to the tacacs+ server you get the LCLPassword and LCLUsername promtps and you need to use a local id.
aaa group server tacacs+ TACSRV
server 172.16.111.14
!
aaa authentication password-prompt LCLPassword:
aaa authentication username-prompt LCLUsername:
aaa authentication login TACSRV group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec TACSRV group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 15 default start-stop group TACSRV
line con 0
login authentication TACSRV
line vty 0 4
login authentication TACSRV
line vty 5 15
login authentication TACSRV
If the switch as connectivity to the tacacs+ server you get the normal Username and Password prompts and you can NOT use a local id.
If the switch as NO connectivity to the tacacs+ server you get the LCLPassword and LCLUsername promtps and you need to use a local id.
What authentication do you have setup for you console and vty lines?
ASKER
qiltjr,
I thought that aaa-new model take out entries from con and vty? Here is what we have.
line con 0
line aux 0
no exec
line vty 0 4
exec-timeout 15 0
privilege level 15
transport input ssh
I thought that aaa-new model take out entries from con and vty? Here is what we have.
line con 0
line aux 0
no exec
line vty 0 4
exec-timeout 15 0
privilege level 15
transport input ssh
No, as per the Cisco example, you have to apply the authentication to the vty lines.
No, you need to add the login authentication to your lines. You can use login aunthentication default.
ASKER
found the problem. I just started working here a week ago so Im new to the network. It didnt make sense to me that it was using the local password... because it shouldnt. I checked ACS and there was a admin account with the same user/pass. DOH! Thanks everyone!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
aaa authentication login {default | list_name} group {group_name | tacacs+ | radius} [method2] [method3 [method4]]]
So what you are looking for would be:
aaa authentication login default group tacacs local
Reference:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfathen.html#wp1001032