04-25-2018 07:57 AM - edited 02-21-2020 10:54 AM
Hi,
I need to make sure that my understanding is correct.
I have below configuration on Cisco IOS:
aaa authentication login default none
aaa authentication login secure_ group tacacs+ group radius local
aaa authorization exec default none
aaa authorization exec secure_ group tacacs+ group radius local
The authentication and authorization order is 1) TACACS+; 2) RADIUS; 3) Local. Is it correct?
Then, if the TACACS+ server is down, it will fallback to RADIUS, isn't it?
And when RADIUS is also down, it will use local username, correct?
Also, I don't use 'if-authenticated' command on authorization above because there is local as the last option fallback. Is it okay?
Thank you
04-25-2018 08:40 AM
I'm not sure why you have these 2 commands if you want to be authenticated against TACACS+, then radius and then local if the prior method is not available. The below listed command will not authenticate user due to default list.
aaa authentication login default none
aaa authorization exec default none
regarding "if-authenticated" read this
04-25-2018 08:34 PM
Hi,
I'm sorry. Let me put the complete configuration
aaa authentication login default none aaa authentication login secure_ group tacacs+ group radius local aaa authorization exec default none aaa authorization exec secure_ group tacacs+ group radius local aaa accounting exec default start-stop group tacacs+ group radius aaa accounting exec secure_ start-stop group tacacs+ group radius line con0 line vty 0 15 login authentication secure_ authorization exec secure_ accounting exec secure_
I have another question regarding with configuration above, if I put "aaa authorization console", does it enable authorization on console automatically?
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide