Common Problems and Resolutions
This section discusses some of common problems you may encounter and how to resolve them when you configure AAA on the Cisco IOS Routers.
1 Why are users who have a privilege level less than 15 unable to view the complete running configuration, but able to see the complete startup configuration on the Cisco IOS Router?
Answer: When configuring access to the router by privilege levels, you face the common issue that the show running or writes terminal command is configured at or below the user's privilege level. But, when the user executes the command, the configuration appears to be blank. This is actually by design, as explained in the paragraphs that follow.
The write terminal/show running-config command shows a blank configuration. This command displays all the commands that the current user is permitted to modify (in other words, all the commands at or below the user's current privilege level). The command should not display commands above the user's current privilege level because of security considerations. If it did display the commands, commands like snmp-server community could be used to modify the current configuration of the router and gain complete access to the router.
The show config/show start-up config command displays a full configuration but does not truly show the actual configuration. Instead, the command simply prints out the contents of non-volatile random access memory (NVRAM), which happens to be the configuration of the router at the time the user executes a write memory command.
2 Why am I unable to authorize my console port?
Answer: Console port authorization was introduced from version 12.0(6) T and is off by default to lessen the likelihood of accidentally being locked out of the router. If a user has physical access to the router via the console, console port authorization is not extremely effective. Console port authorization can be turned on under line con 0 with the hidden command aaa authorization console. Example 9-38 shows an error message that displays when you are attempting to turn on exec authorization for console without configuring aaa authorization by using the aaa authorization console command.
Example 9-38. Sample Output from Router When Attempting to Turn on Authorization Without Using the aaa Authorization Console Command Globally
User Access Verification
Username: user15
Password:
c2621#
c2621#conf t
Enter configuration commands, one per line. End with CNTL/Z.
c2621(config)#line con 0
c2621(config-line)# authorization exec default
%Authorization without the global command 'aaa authorization console' is useless
c2621(config-line)#
3 How can I send an accounting record to multiple AAA servers?
Answer: You must configure broadcast in the following command:
aaa accounting {network | exec | commands (level) | connection |
system | commands (level) | auth-proxy | resource} {default |
(namedlist)} {start-stop | stop-only | none | wait-start} [broadcast]
4 Can I configure RADIUS and TACACS+ protocol for authentication on the same router with the same or two different AAA servers?
Answer: Yes, but it is possible for two different types of access modes. For instance, you can configure RADIUS for console port access, and TACACS+ for Telnet access. You must define at least one named method list, and the other one can be left as default. It is a common practice to configure RADIUS for dialup connections, and TACACS+ for router management. If you configure RADIUS and TACACS+ for two different services (LOGIN and PPP), you can define both method names as default.
5 Is it possible to authenticate users with RADIUS protocol, but authorize them with TACACS+ protocol?
Answer: Yes, it is possible. You need to define RADIUS protocol for authentication and TACACS+ protocol for authorization in the method list. This works, because TACACS+, unlike RADIUS protocol, handles authorization in a separate packet than authentication.
6 Can you define none as the authentication or authorization method?
Answer: Yes, it is possible. This effectively bypasses the authentication/authorization if defined as a method. The None method is mainly used as the primary method in the console port to avoid authentication when the default login method is defined for Telnet access. This is also used as the last backup method to avoid a possible deadlock situation if all available methods are unavailable to process the authentication and authorization requests.