ACS Failover ??

Kurt Warner — Mon, 11 Mar 2019 01:10:45 GMT

After configuring an ACS and having it up and working on a large number and types of Cisco Switches and Routers. I am faced with this the way it was configured , it should have a fall back to local user and password if it can not reach the ACS mine just keeps looking for the ACS. Can i force a local log in? or is there an issues with my config which is posted below?:

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

hostname test_tv

enable password ******

username admin privilege 15 password 0 line ******

aaa new-model

aaa group server radius rad_eap

aaa group server tacacs+ tac_admin

server 10.1.1.120

aaa authentication login default group tacacs+ local

aaa authentication login eap_methods group rad_eap

aaa authentication login eap_methods1 group rad_eap1

aaa authentication enable default group tac_admin

aaa authorization exec default group tac_admin group rad_admin

aaa authorization exec tac_admin group tac_admin

aaa authorization commands 0 default group tac_admin

aaa authorization commands 1 default group tac_admin

aaa authorization commands 2 default group tac_admin

aaa authorization commands 3 default group tac_admin

aaa authorization commands 4 default group tac_admin

aaa authorization commands 5 default group tac_admin

aaa authorization commands 6 default group tac_admin

aaa authorization commands 7 default group tac_admin

aaa authorization commands 8 default group tac_admin

aaa authorization commands 9 default group tac_admin

aaa authorization commands 10 default group tac_admin

aaa authorization commands 11 default group tac_admin

aaa authorization commands 12 default group tac_admin

aaa authorization commands 13 default group tac_admin

aaa authorization commands 14 default group tac_admin

aaa authorization commands 15 default group tac_admin

aaa authorization commands 15 tac_admin group tacacs+ none

aaa authorization network tac_admin group tacacs+

aaa accounting exec default start-stop group tac_admin

aaa accounting commands 15 default start-stop group tac_admin

aaa accounting network default start-stop group tac_admin

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

ip subnet-zero

no ip domain-lookup

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

snmp-server engineID local 000000090200000021000000

snmp-server community

snmp-server host 10.1.1.110 inform version 2c

snmp-server host 10.1.1.110 version 2c

tacacs-server host 10.1.1.120

tacacs-server directed-request

tacacs-server key **********

radius-server source-ports *************

control-plane

banner motd ^

line con 0

password ******

stopbits 1

line vty 0 4

password ******

authorization commands 0 tac_admin

authorization commands 1 tac_admin

authorization commands 2 tac_admin

authorization commands 3 tac_admin

authorization commands 4 tac_admin

authorization commands 5 tac_admin

authorization commands 6 tac_admin

authorization commands 7 tac_admin

authorization commands 8 tac_admin

authorization commands 9 tac_admin

authorization commands 10 tac_admin

authorization commands 11 tac_admin

authorization commands 12 tac_admin

authorization commands 13 tac_admin

authorization commands 14 tac_admin

authorization commands 15 tac_admin

line vty 5 15

password ******

authorization commands 0 tac_admin

authorization commands 1 tac_admin

authorization commands 2 tac_admin

authorization commands 3 tac_admin

authorization commands 4 tac_admin

authorization commands 5 tac_admin

authorization commands 6 tac_admin

authorization commands 7 tac_admin

authorization commands 8 tac_admin

authorization commands 9 tac_admin

authorization commands 10 tac_admin

authorization commands 11 tac_admin

authorization commands 12 tac_admin

authorization commands 13 tac_admin

authorization commands 14 tac_admin

authorization commands 15 tac_admin

end

ACS Failover ??

Devashree Chakrabarti — Tue, 21 Jun 2011 17:43:27 GMT

Hello Kurt

The command on device shows that primary method is Tacacs and then, local.

aaa authentication login default group tacacs+ local

Is ACS server unreacable from device ? Does it fail on authentication ?

thanks

Devashree

ACS Failover ??

Kurt Warner — Wed, 22 Jun 2011 13:14:51 GMT

The ACS sits on another network and "what if" that link is down. When i have removed the ability to contact the ACS i have no way to log in. I would figured the switch would detect it could not reach the ACS and try local login but that is not happening.

ACS Failover ??

Nicolas Darchis — Thu, 23 Jun 2011 08:00:19 GMT

It should fail over if the ACS is really unreachable.

Can you turn on some debug tacacs and debug aaa ?

ACS Failover ??

Julio Garcia — Tue, 28 Jun 2011 12:54:00 GMT

hi Kurt,

you have ....

aaa authentication login default group tacacs+ local

and then...

aaa authorization exec default group tac_admin group rad_admin

i am thinking this could be the issue, the authorization of exec shell should have a local option at the end in case your tacacs server fails.

ACS Failover ??

Angus Bishop — Wed, 29 Jun 2011 17:40:27 GMT

Please post the below debugs

debug tacacs events / packets / errors

debug aaa

ACS Failover ??

Kurt Warner — Thu, 30 Jun 2011 17:05:42 GMT

It can not reach the ACS ( in this case) so i couldnt log in to get that information

ACS Failover ??

Kurt Warner — Wed, 06 Jul 2011 17:19:11 GMT

adding the local worked i can now get to the command prompt BUT when i type enable it says :

" % error in Authentication" and returns me to the > with nothing to enter.

ACS Failover ??

marcelnjkoks — Tue, 12 Jul 2011 13:35:06 GMT

Isn't that because of this line:

aaa authentication enable default group tac_admin

Shouldn't that also fallback to local?

topic ACS Failover ?? in Network Access Control

ACS Failover ??

ACS Failover ??

ACS Failover ??

ACS Failover ??

ACS Failover ??

ACS Failover ??

ACS Failover ??

ACS Failover ??

ACS Failover ??