ACS Fallback

Hi all ,
i'm trying to config ACS fallback , but didn''t work with me at all
please find the configuration on the switch

R1#

R1#sh

*Apr 26 14:57:48.631: %SYS-5-CONFIG_I: Configured from console by console

R1#sh run

Building configuration...

 

Current configuration : 2246 bytes

!

! Last configuration change at 14:57:48 UTC Tue Apr 26 2016

!

upgrade fpd auto

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login Admin group tacacs+ local

aaa authorization config-commands

aaa authorization exec Admin group tacacs+ local

aaa authorization commands 1 Admin group tacacs+

aaa authorization commands 15 Admin group tacacs+ local

!

!

!

!

!

aaa session-id common

!

!

!

ip source-route

no ip icmp rate-limit unreachable

ip cef

!

!

!

!

no ip domain lookup

no ipv6 cef

!

multilink bundle-name authenticated

!

!        

!

!

!

!

!

!

username cisco privilege 15 password 0 cisco

username cisco1 privilege 10 password 0 cisco1

!

redundancy

!

!

ip tcp synwait-time 5

ip ssh version 1

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 150.1.7.6 255.255.255.0

duplex half

!

!

interface FastEthernet1/0

no ip address

shutdown

duplex half

!

!

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 150.1.7.30 255.255.255.255 Null0

!

no cdp log mismatch duplex

!

!

!

!        

!

tacacs-server host 150.1.7.30 key ccie

tacacs-server directed-request

!

control-plane

!

!

!

mgcp fax t38 ecm

mgcp behavior g729-variants static-pt

!

!

!

gatekeeper

shutdown

!

privilege configure level 10 interface

privilege configure level 10 no interface

privilege configure level 10 no

privilege exec level 10 configure terminal

privilege exec level 10 configure

privilege exec level 10 show ip interface brief

privilege exec level 10 show ip interface

privilege exec level 10 show ip

privilege exec level 10 show version

privilege exec level 10 show running-config

privilege exec level 10 show privilege

privilege exec level 1 show

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

authorization commands 1 Admin

authorization commands 15 Admin

authorization exec Admin

login authentication Admin

line vty 5 15

authorization commands 1 Admin

authorization commands 15 Admin

authorization exec Admin

login authentication Admin

!

end 

Comments

  • What excacty does not work, couple of errors in config, bit still, need more input.

    Sent from my iPhone

    On Apr 26, 2016, at 18:01, EyadGH <[email protected]> wrote:

    Hi all ,
    i'm trying to config ACS fallback , but didn''t work with me at all
    please find the configuration on the switch

    R1#

    R1#sh

    *Apr 26 14:57:48.631: %SYS-5-CONFIG_I: Configured from console by console

    R1#sh run

    Building configuration...

     

    Current configuration : 2246 bytes

    !

    ! Last configuration change at 14:57:48 UTC Tue Apr 26 2016

    !

    upgrade fpd auto

    version 15.0

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    hostname R1

    !

    boot-start-marker

    boot-end-marker

    !

    !

    aaa new-model

    !

    !

    aaa authentication login Admin group tacacs+ local

    aaa authorization config-commands

    aaa authorization exec Admin group tacacs+ local

    aaa authorization commands 1 Admin group tacacs+

    aaa authorization commands 15 Admin group tacacs+ local

    !

    !

    !

    !

    !

    aaa session-id common

    !

    !

    !

    ip source-route

    no ip icmp rate-limit unreachable

    ip cef

    !

    !

    !

    !

    no ip domain lookup

    no ipv6 cef

    !

    multilink bundle-name authenticated

    !

    !        

    !

    !

    !

    !

    !

    !

    username cisco privilege 15 password 0 cisco

    username cisco1 privilege 10 password 0 cisco1

    !

    redundancy

    !

    !

    ip tcp synwait-time 5

    ip ssh version 1

    !

    !

    !

    !

    !

    !

    !

    !

    interface FastEthernet0/0

    ip address 150.1.7.6 255.255.255.0

    duplex half

    !

    !

    interface FastEthernet1/0

    no ip address

    shutdown

    duplex half

    !

    !

    !

    ip forward-protocol nd

    no ip http server

    no ip http secure-server

    !

    !

    ip route 150.1.7.30 255.255.255.255 Null0

    !

    no cdp log mismatch duplex

    !

    !

    !

    !        

    !

    tacacs-server host 150.1.7.30 key ccie

    tacacs-server directed-request

    !

    control-plane

    !

    !

    !

    mgcp fax t38 ecm

    mgcp behavior g729-variants static-pt

    !

    !

    !

    gatekeeper

    shutdown

    !

    privilege configure level 10 interface

    privilege configure level 10 no interface

    privilege configure level 10 no

    privilege exec level 10 configure terminal

    privilege exec level 10 configure

    privilege exec level 10 show ip interface brief

    privilege exec level 10 show ip interface

    privilege exec level 10 show ip

    privilege exec level 10 show version

    privilege exec level 10 show running-config

    privilege exec level 10 show privilege

    privilege exec level 1 show

    !

    line con 0

    exec-timeout 0 0

    privilege level 15

    logging synchronous

    stopbits 1

    line aux 0

    exec-timeout 0 0

    privilege level 15

    logging synchronous

    stopbits 1

    line vty 0 4

    authorization commands 1 Admin

    authorization commands 15 Admin

    authorization exec Admin

    login authentication Admin

    line vty 5 15

    authorization commands 1 Admin

    authorization commands 15 Admin

    authorization exec Admin

    login authentication Admin

    !

    end 




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Hi cristian ,
    i have upodated the configuration , the switch authenticated with ACS , but in ACS fallback the 
    local commands doesn't work

    username cisco privilege 15 password 0 cisco

    aaa new-model

    aaa authentication login Admin group tacacs+ local

    aaa authorization config-commands

    aaa authorization exec Admin group tacacs+ local

    aaa authorization commands 1 Admin group tacacs+

    aaa authorization commands 15 Admin group tacacs+ local

    tacacs-server host 150.1.7.30 key ccie

    tacacs-server directed-request

    !

    privilege configure level 15 interface
    privilege configure level 15 no shutdown
    privilege configure level 15 shutdown
    privilege exec level 15 show version
    privilege exec level 15 show privilege
    privilege exec level 15 show ip interface brief
    privilege exec level 15 configure terminal
    privilege exec level 15 show running-config

    aaa new-model

    aaa authentication login Admin group tacacs+ local

    aaa authorization config-commands

    aaa authorization exec Admin group tacacs+ local

    aaa authorization commands 1 Admin group tacacs+

    aaa authorization commands 15 Admin group tacacs+ local

    tacacs-server host 150.1.7.30 key ccie

    tacacs-server directed-request

    !

    privilege configure level 15 interface
    privilege configure level 15 no shutdown
    privilege configure level 15 shutdown
    privilege exec level 15 show version
    privilege exec level 15 show privilege
    privilege exec level 15 show ip interface brief
    privilege exec level 15 configure terminal
    privilege exec level 15 show running-config

    line vty 0 4

    authorization commands 1 Admin

    authorization commands 15 Admin

    authorization exec Admin

    login authentication Admin

    line vty 5 15

    authorization commands 1 Admin

    authorization commands 15 Admin

    authorization exec Admin

    login authentication Admin

    !

    end


    On Tue, Apr 26, 2016 at 6:35 PM, cristian.matei <[email protected]> wrote:
    What excacty does not work, couple of errors in config, bit still, need more input.

    Sent from my iPhone

    On Apr 26, 2016, at 18:01, EyadGH <[email protected]> wrote:

    Hi all ,
    i'm trying to config ACS fallback , but didn''t work with me at all
    please find the configuration on the switch

    R1#

    R1#sh

    *Apr 26 14:57:48.631: %SYS-5-CONFIG_I: Configured from console by console

    R1#sh run

    Building configuration...

     

    Current configuration : 2246 bytes

    !

    ! Last configuration change at 14:57:48 UTC Tue Apr 26 2016

    !

    upgrade fpd auto

    version 15.0

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    hostname R1

    !

    boot-start-marker

    boot-end-marker

    !

    !

    aaa new-model

    !

    !

    aaa authentication login Admin group tacacs+ local

    aaa authorization config-commands

    aaa authorization exec Admin group tacacs+ local

    aaa authorization commands 1 Admin group tacacs+

    aaa authorization commands 15 Admin group tacacs+ local

    !

    !

    !

    !

    !

    aaa session-id common

    !

    !

    !

    ip source-route

    no ip icmp rate-limit unreachable

    ip cef

    !

    !

    !

    !

    no ip domain lookup

    no ipv6 cef

    !

    multilink bundle-name authenticated

    !

    !        

    !

    !

    !

    !

    !

    !

    username cisco privilege 15 password 0 cisco

    username cisco1 privilege 10 password 0 cisco1

    !

    redundancy

    !

    !

    ip tcp synwait-time 5

    ip ssh version 1

    !

    !

    !

    !

    !

    !

    !

    !

    interface FastEthernet0/0

    ip address 150.1.7.6 255.255.255.0

    duplex half

    !

    !

    interface FastEthernet1/0

    no ip address

    shutdown

    duplex half

    !

    !

    !

    ip forward-protocol nd

    no ip http server

    no ip http secure-server

    !

    !

    ip route 150.1.7.30 255.255.255.255 Null0

    !

    no cdp log mismatch duplex

    !

    !

    !

    !        

    !

    tacacs-server host 150.1.7.30 key ccie

    tacacs-server directed-request

    !

    control-plane

    !

    !

    !

    mgcp fax t38 ecm

    mgcp behavior g729-variants static-pt

    !

    !

    !

    gatekeeper

    shutdown

    !

    privilege configure level 10 interface

    privilege configure level 10 no interface

    privilege configure level 10 no

    privilege exec level 10 configure terminal

    privilege exec level 10 configure

    privilege exec level 10 show ip interface brief

    privilege exec level 10 show ip interface

    privilege exec level 10 show ip

    privilege exec level 10 show version

    privilege exec level 10 show running-config

    privilege exec level 10 show privilege

    privilege exec level 1 show

    !

    line con 0

    exec-timeout 0 0

    privilege level 15

    logging synchronous

    stopbits 1

    line aux 0

    exec-timeout 0 0

    privilege level 15

    logging synchronous

    stopbits 1

    line vty 0 4

    authorization commands 1 Admin

    authorization commands 15 Admin

    authorization exec Admin

    login authentication Admin

    line vty 5 15

    authorization commands 1 Admin

    authorization commands 15 Admin

    authorization exec Admin

    login authentication Admin

    !

    end 




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx



    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • So authentication fallback works, but command authortization fallback does not work? For which commands? For privilege-level 15 commands it should work, but for other commands not because for privilege level 1 commands you configuration does not include the 'local' keyword:

    aaa authorization commands 1 Admin group tacacs+

     

    Regards,

    Cristian.

Sign In or Register to comment.