Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Even with AAA "aaa bypass-user" configuration, N9K (authenticator) will still use ACS for user authorization and accounting - and not local RBAC. Example: N9K-EoR# show running-config aaa !Command: show running-config aaa !Running configuration last done at: Fri Feb 8 17:39:08 2019 !Time: Fri Feb 8 17:40:50 2019 version 9.2(1) Bios:version 08.32 aaa authentication login default group TACACS+ local aaa authentication login console local aaa bypass-user alex accounting authorization N9K-EoR# show tacacs-server statistics 10.48.26.138 | diff -c *** /volatile/vsh_diff_1_admin_842_show_tacacsserver_statistics_.old Fri Feb 8 17:40:12 2019 --- - Fri Feb 8 17:40:12 2019 *************** *** 2,9 **** Authentication Statistics failed transactions: 0 ! successful transactions: 0 ! requests sent: 0 requests timed out: 0 responses with no matching requests: 0 responses not processed: 0 --- 2,9 ---- Authentication Statistics failed transactions: 0 ! successful transactions: 1 ! requests sent: 1 requests timed out: 0 responses with no matching requests: 0 responses not processed: 0 *************** *** 11,18 **** Authorization Statistics failed transactions: 0 ! successful transactions: 0 ! requests sent: 0 requests timed out: 0 responses with no matching requests: 0 responses not processed: 0 --- 11,18 ---- Authorization Statistics failed transactions: 0 ! successful transactions: 1 ! requests sent: 1 requests timed out: 0 responses with no matching requests: 0 responses not processed: 0 N9K-EoR# N9K-EoR# show user-account user:admin this user account has no expiry date roles:network-admin user:alex roles:network-admin account created through REMOTE authentication Credentials such as ssh server key will be cached temporarily only for this user account Local login not possible N9K-EoR# show running-config | grep username username admin password 5 ***************** role network-admin
Attempt to configure/use AAA option to bypass authorization and accounting for specific local users: tahoe-eor1# show run aaa | inc test1 aaa bypass-user test1 accounting authorization
The only workaround available so far is to configure AAA authorization and accounting against local database - using RBAC: N9K-EoR(config)# aaa authorization commands default local N9K-EoR(config)# aaa authorization config-commands default local N9K-EoR(config)# aaa accounting default local Of course it will affect all users...
None