Uplogix has been acquired by Lantronix! Learn more here.

Heads up!

The documentation library has moved to: level.lantronix.com/docs

This document is moving to: level.lantronix.com/docs/knowledge-base/security

Please update your bookmarks. This page will start automatically redirecting on July 1, 2023.

Post-Authentication TACACS Failure

Updated March 9, 2021. Written for LMS Version 6.2.

Proper configuration of a Cisco router will allow it to fail over to local authentication if the connection to TACACS fails. However, a situation can occur where the connection fails after the user is successfully authenticated. This may prevent the user (e.g. the Uplogix Local Manager) from performing basic commands such as logout.

To account for this situation, modify the aaa statements in the config of your Cisco router.

Example Cisco Router Config

aaa authentication login default group tacacs+ local
aaa authorization console
aaa authorization exec default local group tacacs+
aaa authorization commands 0 default local group tacacs+ if-authenticated
aaa authorization commands 1 default local group tacacs+
aaa authorization commands 15 default local group tacacs+

Adding the argument if-authenticated will allow a user to execute level 0 commands even if the connection to TACACS is lost after authentication. This will allow the Local Manager to log out of the Cisco router so that local authentication can be used.

The if-authenticated argument can be added to the other command levels if desired.

Example Cisco ACS Settings

  1. Create a user
  2. Configure PAP and CHAP passwords
  3. Under Advanced TACACS+ Settings, set Max Privilege for Clients to "Level 15" via the drop-down menu
  4. View TACACS+ Enable Password settings.
    1. If it matches the enable password on the device, the user will be taken directly to the # prompt.
    2. If it doesn't match, or if you use "Cisco Secure PAP Password," the user will be given the > prompt and will need to enter the device's enable password at the device prompt.
  5. Set TACACS+ Outbound Password to what you entered for PAP and CHAP
  6. Under TACACS+ Settings, check "Shell EXEC" and set Privilege Level to 15.
  7. Under Shell Command Authorization, assign a set of Full Access. This set may need to be created beforehand.

Creating an ACS Command Authorization Set

  1. Within ACS, click on Shared Profile Components button.
  2. Click on Shell Command Authorization Sets.
  3. Click on an existing set name to edit or click Add to create a new set.
  4. In the entry window, add commands you wish to allow. You can also choose to deny execution of all commands not included in the entry window.
Updated March 9, 2021. Written for LMS Version 6.2.
Find an error? Need more detail? Send feedback to docs@lantronix.com so we can improve our documentation.
Knowledge Base
Post-Authentication TACACS Failure
Limited SSH Cipher Support
assimilate
autorecovery
capture
certify
clear counters
clear log
clear password
clear service module
config answer
config authentication
config date
config device logging
config environment
config export
config group
config import
config info
config init
config log rule
config monitors
config outlets
config password
config ppp
config properties
config protocols forward
config protocols pass-through
config protocols shadow
config reinstall
config removejob
config restrict
config role
config rule
config ruleset
config schedule
config serial
config service-processor
config settings
config slv
config system archive
config system authentication
config system banner
config system clear alarms
config system clear archive
config system clear export
config system clear port
config system clear slot
config system crypto
config system email
config system export
config system fips
config system ip
config system ipt
config system keypad
config system management
config system ntp
config system page-length
config system properties
config system protocols dhcp
config system protocols filter
config system protocols ssh
config system protocols telnet
config system pulse
config system reverse-ssh
config system secondary
config system slot
config system snmp
config system subinterface
config system syslog-options
config system timeout
config update
config user
config vpn
connect
copy
delete
device execute
device ping
edit running-config
export
off
on
ping
power
ppp
pull file
pull os
pull running-config
pull startup-config
pull tech
push file
push os
push running-config
push startup-config
reboot
recover configuration
restart
restore
rollback assimilate
rollback authentication
rollback config
service-processor exec
show alarms
show all
show answer
show authentication
show buffer
show capture
show chassis
show circuit
show config
show date
show device change
show device changes
show device logging
show device syslog
show diff
show directory
show environment
show events
show faults
show gps
show group
show info
show install-history
show interface
show log event
show log rule
show log system
show monitors
show outlets
show pingstats
show ports
show post
show ppp
show properties
show protocols
show remotestate
show restrict
show role
show rollback-config
show rule
show ruleset
show running-config
show schedules
show serial
show service-module
show service-processor
show session
show sessions
show settings
show slv stats
show slv test
show startup-config
show status
show system archive
show system authentication
show system banner
show system email
show system export
show system fips
show system ip
show system ipt
show system keypad
show system management
show system ntp
show system page-length
show system properties
show system protocols
show system pulse
show system reverse-ssh
show system slot
show system snmp
show system subinterface
show system syslog-options
show system timeout
show tech
show version
show vpn
show who
shutdown
suspend
terminal

Not finding what you're looking for?

The LEVEL Technical Services team is standing by 24/7/365 to answer any questions you may have about the installation, configuration, and usage of our products.

© 2023 Lantronix, Inc. All Rights Reserved