[c-nsp] Tacacs and console access

Peter Rathlev peter at rathlev.dk
Thu Jun 6 15:31:15 EDT 2013


On Tue, 2013-06-04 at 21:01 -0700, George Hong wrote:
> My tacacs config should fall back to local authorization but that doesn't
> seem to work.

Apart from "if-authenticated" as Nick mentioned you might consider using
different AAA methods for the different lines. We have a method with
local authentication and no authorization for console access. Something
like this:

aaa authentication login AAA-CONSOLE local-case
aaa authorization  exec  AAA-CONSOLE none
!
aaa authentication login      AAA-VTY group tacacs+ local
aaa authorization exec        AAA-VTY group tacacs+ if-authenticated
aaa authorization commands  0 AAA-VTY group tacacs+ if-authenticated
aaa authorization commands 15 AAA-VTY group tacacs+ if-authenticated
aaa authorization config-commands
!
line con 0
 login authentication AAA-CONSOLE
!
line vty 0 15
 authorization commands 0 AAA-VTY
 authorization commands 15 AAA-VTY
 authorization exec AAA-VTY
 login authentication AAA-VTY
!

I'm not sure why "local" doesn't work in your case though. Intuitively
it does seem to be the right thing for what you probably want.

We chose no authorization since console probably equals local access,
which makes it rather easy to make the TACACS+ server unreachable
anyway.

-- 
Peter




More information about the cisco-nsp mailing list