https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674218#M233062 <HTML><HEAD></HEAD><BODY><P> Tarik,</P><P></P><P>The folks in the lab were able to duplicate the problem.&nbsp; Since we would rather provide Cisco logging info from the lab and not the production environment, they are going to open a TAC case on my behalf.</P><P></P><P>Once a solution is provided, I will update this forum post for the benefit of the community.</P><P></P><P>Thanks again for your help.</P><P></P><P>-Erik</P></BODY></HTML> Wed, 08 Jun 2011 06:17:04 GMT efairbanks 2011-06-08T06:17:04Z https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674216#M233058 <P>Community,</P><P></P><P>I am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently.&nbsp; If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device.&nbsp; Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device.&nbsp; When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used.&nbsp; On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE:&nbsp; All servers failed to respond" when using locally configured credentials on the switch itself.&nbsp; We are running ACS v4.2.</P><P></P><P>See attachment for configuration information from the switch.</P><P></P><P>Thanks in advance for any assistance.</P><P></P><P>-Erik</P> Mon, 11 Mar 2019 01:08:34 GMT https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674216#M233058 efairbanks 2019-03-11T01:08:34Z https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674217#M233060 <HTML><HEAD></HEAD><BODY><P>I wanted to know what the reason for the failed attempts are in the acs logs? If you can set the logging to full and then search for the username in the TCS.logs after you repro the issue and then download the support bundle. This will show you if ACS is failing the user or if ACS is returning error messages to the Nexus thus failing over to local authentication. </P><P></P><P>Keep in mind when setting the logging to full and downloading the package.cab file will restart the services on the box. </P><P></P><P>Thanks,</P><P>Tarik</P></BODY></HTML> Tue, 07 Jun 2011 07:45:56 GMT https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674217#M233060 Tarik Admani 2011-06-07T07:45:56Z https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674218#M233062 <HTML><HEAD></HEAD><BODY><P> Tarik,</P><P></P><P>The folks in the lab were able to duplicate the problem.&nbsp; Since we would rather provide Cisco logging info from the lab and not the production environment, they are going to open a TAC case on my behalf.</P><P></P><P>Once a solution is provided, I will update this forum post for the benefit of the community.</P><P></P><P>Thanks again for your help.</P><P></P><P>-Erik</P></BODY></HTML> Wed, 08 Jun 2011 06:17:04 GMT https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674218#M233062 efairbanks 2011-06-08T06:17:04Z https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674219#M233064 <HTML><HEAD></HEAD><BODY><P>Erik,</P><P></P><P>I am experiencing the same problem on my Nexus 5548 and 7010 switches.&nbsp; Have you made any progress on your case with TAC?&nbsp; I would be most interested to find out more.</P><P></P><P>Thanks,</P><P>John</P></BODY></HTML> Mon, 12 Sep 2011 20:38:35 GMT https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674219#M233064 John Galietta 2011-09-12T20:38:35Z https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674220#M233065 <HTML><HEAD></HEAD><BODY><P>Erik-</P><P></P><P>I encountered the same issue.&nbsp; Any update from TAC on what the issue was?</P><P></P><P>-Nathan</P></BODY></HTML> Wed, 05 Oct 2011 20:14:05 GMT https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674220#M233065 Nathan Eger 2011-10-05T20:14:05Z https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674221#M233066 <HTML><HEAD></HEAD><BODY><P>Hello Erik.</P><P>I encountered the same issue. Any update from TAC?</P><P>Regards.</P><P>Andrea</P></BODY></HTML> Tue, 15 Nov 2011 10:35:23 GMT https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674221#M233066 andrea.meconi 2011-11-15T10:35:23Z https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674222#M233067 <HTML><HEAD></HEAD><BODY><P>Yes...sorry....I did get this working.&nbsp; If you configure the AAA authentication line with the tacacs option, but omit the "local" parameter, you will achieve your desired results - localmauthentican will work only if tactics fails.&nbsp; Not sure if this is a bug or a code difficiency...</P></BODY></HTML> Tue, 15 Nov 2011 10:42:32 GMT https://community.cisco.com/t5/network-access-control/nexus-allows-tacacs-and-local-authentication-concurrently/m-p/1674222#M233067 efairbanks 2011-11-15T10:42:32Z