[c-nsp] Tacacs and console access
Peter Rathlev
peter at rathlev.dk
Thu Jun 6 15:31:15 EDT 2013
On Tue, 2013-06-04 at 21:01 -0700, George Hong wrote:
> My tacacs config should fall back to local authorization but that doesn't
> seem to work.
Apart from "if-authenticated" as Nick mentioned you might consider using
different AAA methods for the different lines. We have a method with
local authentication and no authorization for console access. Something
like this:
aaa authentication login AAA-CONSOLE local-case
aaa authorization exec AAA-CONSOLE none
!
aaa authentication login AAA-VTY group tacacs+ local
aaa authorization exec AAA-VTY group tacacs+ if-authenticated
aaa authorization commands 0 AAA-VTY group tacacs+ if-authenticated
aaa authorization commands 15 AAA-VTY group tacacs+ if-authenticated
aaa authorization config-commands
!
line con 0
login authentication AAA-CONSOLE
!
line vty 0 15
authorization commands 0 AAA-VTY
authorization commands 15 AAA-VTY
authorization exec AAA-VTY
login authentication AAA-VTY
!
I'm not sure why "local" doesn't work in your case though. Intuitively
it does seem to be the right thing for what you probably want.
We chose no authorization since console probably equals local access,
which makes it rather easy to make the TACACS+ server unreachable
anyway.
--
Peter
More information about the cisco-nsp
mailing list