[c-nsp] Tacacs and console access

[George Hong]

Hi Cisco Gurus,

Quick question my Cisco foo is a bit dusty.  I'm configuring a new switch
and I'm setting it up with Tacacs.
I'm configuring it using the console and the switch is not yet connected to
the network. After applying the tacacs config it says
% Authorization failed when I type "show run" or "conf t"

My tacacs config should fall back to local authorization but that doesn't
seem to work.
Below the relevant config. Any ideas what might be going on (what am I
doing wrong)?

Remember that no network cables have been plugged in (all interfaces are
down) and I'm configuring using console. I'm expecting to be able to
configure the switch when it has no network connectivity (via out of band /
console).


This is the tacacs config I'm applying:

aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 4 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!

aaa session-id common


tacacs-server key key 7 <removed this >
tacacs-server host x.x.x.x timeout 2

tacacs-server directed-request

line con 0
 session-timeout 60
 exec-timeout 60 0
 login authentication CONSOLE
line vty 0 4
 session-timeout 60
 access-class 22 in
 exec-timeout 60 9
 history size 256
 transport input ssh
line vty 5 15
 session-timeout 60
 access-class 22 in
 exec-timeout 60 9
 history size 256
 transport input ssh

After applying:

sw1.chi#sh run
% Authorization failed.

sw1.chi#conf t
% Authorization failed.

sw1.chi#

Full relevant config can be found here:
http://pastebin.com/p8XbYJ4W

Any ideas?

Thanks !