Identifying TACACS+ failure

I've got an interesting question from Colin a while ago:

I would like to generate a different prompt during the login to the router if the TACACS+ server has failed, indicating to the network operators that they have to log-in with the special (local) username, not with the TACACS+ authenticated username/password.

Fortunately he was running TACACS+ which supplies its own prompts during the authentication phase (the solution would not work with RADIUS). If you change the local authentication prompts, you'll get the prompts from TACACS+ server if it's reachable from the router (the AAA authentication is performed via TACACS+ server) and the local prompts if the TACACS+ server has failed (the AAA authentication is performed via any other mechanism). Here's a sample configuration:

aaa new-model
aaa authentication login REMOTE group tacacs+ local
!
aaa authentication fail-message #
Local authentication failed.
#
aaa authentication password-prompt "Enter local password:"
aaa authentication username-prompt "Enter local username:"
!
user a secret b
!
line vty 0 4
login authentication REMOTE

11 comments:

  1. what is advantage of using this. This can be done with the local username and password also which is also binded with the aaa.

    ReplyDelete
  2. This solution works great when using telnet. Is there any chance to get this working with ssh?

    ReplyDelete
  3. @shivlu: if you deploy AAA servers, you might still want to have local usernames/passwords in case the connectivity to the AAA servers is broken and you'd like to get into the router.

    If you decide you want to have local usernames, it helps if the operator knows whether he's expected to type the local username or the server-checked username.

    @moik: no-go. SSH does not pass authentication prompts between the server and the client (all prompting is done locally in the client).

    ReplyDelete
  4. Hi, Ivan!

    I'm find interesting issue with ssh connection to the router. I hvae simple configuration, like that:

    no aaa new-model
    username admin privelege 15 password 12345

    ip ssh version 2

    line vty 0 15
    login local
    trasport input ssh telnet
    -------------

    If I connect to the router via telnet - I get privilege level 15. But, if i connect via ssh - I should input enable password. Why, when I use ssh - i should enter enable password? I checked it on IOS SRB2.

    ReplyDelete
  5. @shef: according to Cisco documentation, SSH only works with AAA ... but you've obviously found a workaround: if AAA is not enabled, it uses enable password.

    ReplyDelete
  6. Hi Shef:

    If you really want to do this using SSH but without a TACACS server, you can enable AAA to use the local database to allow a privledge level 15 user to drop straight into the enable mode after successful authentication. However, I would not recommend using telnet at all if SSH is available on the device. With that said, the config below works for both telnet and SSH.


    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization exec default local
    !
    username test privilege 15 secret your-password
    !
    ip ssh version 2
    !
    line vty 0 15
    transport input ssh telnet
    !

    ReplyDelete
  7. Is it possible to achieve this in reverse. Instead of re-configuring thousands of my devices, can I get Cisco ACS to change the prompt on the router when the TACACS is available? If not the prompts, then insert a banner?

    ReplyDelete
  8. @Steve: in principle, it's possible (the technology definitely allows it), but I wouldn't know how to change prompts on Cisco ACS.

    ReplyDelete
  9. Hi,
    I think I am asking a very simple question but then how do we enable CLI interface on Cisco ACS software? Would be thankful if you would reply.

    ReplyDelete
  10. I've asked uncle Google the same question (Cisco ACS CLI) and got this answer.

    ReplyDelete
  11. Chad Compton26 May, 2010 14:38

    I am trying to get ACS 4.2 for windows to automatically put users in lev 15 priv (enable mode) after they login. I have done everything cisco says and yet, no matter what, users login with their AD credentials and ACS authenticates and puts users in "user mode" . then the user has to manually enter the enable secret still. I want to eliminate the manually typing the enable password in. I also dont want ALL users to be lev 15 priv so the setup will need to be done in ACS and not the router/switch config.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.