https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720971#M238861 <HTML><HEAD></HEAD><BODY><P>Anisha,</P><P></P><P>The first line was ok but it wont accept the second line: <STRONG>aaa&nbsp; authentication enable default group tacacs+ local</STRONG></P><P>so i have had to leave it as aaa&nbsp; authentication enable default group tacacs+ enable until i work out why its wont accept the command.</P><P></P><P>I tested the config on one switch by turning off Tacacs for that one switch.&nbsp; It prompted me for the local username and password and i logged in ok.&nbsp; But i had to login with the enable password on the router until i work why the line above in bold wont go on the switch.</P><P></P><P>The switch involved is a C2960 Software (C2960-LANBASE-M), Version 12.2(35)SE5.</P><P></P><P>Any ideas why it wont accept <STRONG>aaa&nbsp; authentication enable default group tacacs+ local</STRONG></P><P>Did that line work ok on your switch / router config?</P><P></P><P>regards,</P><P>Kevin</P></BODY></HTML> Wed, 20 Apr 2011 15:40:38 GMT ohareka70 2011-04-20T15:40:38Z https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720967#M238852 <P>Hello,</P><P></P><P>I have every router and switch setup for login authentication via the ACS server.&nbsp; I have used these 12 lines below and it is working fine.&nbsp; Every engineer has their own account.</P><P></P><P>aaa new-model<BR />aaa authentication login default group tacacs+ enable<BR />aaa authentication enable default group tacacs+ enable<BR />aaa authorization exec default if-authenticated <BR />aaa authorization commands 15 default group tacacs+ if-authenticated <BR />aaa accounting exec default start-stop group tacacs+<BR />aaa accounting commands 15 default start-stop group tacacs+<BR />aaa accounting connection default start-stop group tacacs+<BR />aaa session-id common</P><P>tacacs-server host x.x.x.x<BR />tacacs-server directed-request<BR />tacacs-server key WHATEVER</P><P></P><P>----------------------------------------------</P><P>I would like to add to this a local username and password so that if the ACS server was offline the engineers would still have to login with a default username and password i.e</P><P></P><P>username MYUSERNAME privilege 15 secret mypassword</P><P><BR />line vty 0 4 <BR /> login local</P><P></P><P>Q.&nbsp; How do i do this so ACS server has first preference and users only login with local username and password if the ACS server is down?</P><P></P><P>regards,</P><P>Kevin</P> Mon, 11 Mar 2019 00:59:17 GMT https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720967#M238852 ohareka70 2019-03-11T00:59:17Z https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720968#M238854 <HTML><HEAD></HEAD><BODY><P>Right now you have the enable password as the fall back method:</P><P></P><P>aaa authentication login default group tacacs+ enable</P><P></P><P>Change "enable" to "local" and the local (on the router) database of usernames and passwords will be used.</P><P></P><P>The same works for enable authentication (the second "aaa authentication ..." line in the config you posted).</P></BODY></HTML> Wed, 13 Apr 2011 16:46:52 GMT https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720968#M238854 Javier Henderson 2011-04-13T16:46:52Z https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720969#M238856 <HTML><HEAD></HEAD><BODY><P>Javier,</P><P></P><P>I did try this and what this does is let me login with the local account but bypasses the tacacs account.&nbsp; I want it to use the Tacacs account first and only use the local account when the Tacacs account fails.&nbsp; Maybe this is not possible. </P><P></P><P>If i put it back to the way it was and stop the ACS server then it falls back to the enable password on the router.</P><P></P><P>thanks</P><P>Kevin</P></BODY></HTML> Tue, 19 Apr 2011 10:48:05 GMT https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720969#M238856 ohareka70 2011-04-19T10:48:05Z https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720970#M238858 <HTML><HEAD></HEAD><BODY><P>Hi Kevin,</P><P></P><P>Please do the following:</P><P></P><P>line vty 0 4</P><P>no login local</P><P></P><P>no aaa authentication login default group tacacs+ enable<BR />no aaa&nbsp; authentication enable default group tacacs+ enable</P><P>aaa authentication login default group tacacs+ local<BR />aaa&nbsp; authentication enable default group tacacs+ local</P><P></P><P>In this case the authentication will head to your tacacs server first and then to local only if the TACACS server is down.</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P>Anisha</P><P></P><P>P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.</P></BODY></HTML> Wed, 20 Apr 2011 13:59:12 GMT https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720970#M238858 andamani 2011-04-20T13:59:12Z https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720971#M238861 <HTML><HEAD></HEAD><BODY><P>Anisha,</P><P></P><P>The first line was ok but it wont accept the second line: <STRONG>aaa&nbsp; authentication enable default group tacacs+ local</STRONG></P><P>so i have had to leave it as aaa&nbsp; authentication enable default group tacacs+ enable until i work out why its wont accept the command.</P><P></P><P>I tested the config on one switch by turning off Tacacs for that one switch.&nbsp; It prompted me for the local username and password and i logged in ok.&nbsp; But i had to login with the enable password on the router until i work why the line above in bold wont go on the switch.</P><P></P><P>The switch involved is a C2960 Software (C2960-LANBASE-M), Version 12.2(35)SE5.</P><P></P><P>Any ideas why it wont accept <STRONG>aaa&nbsp; authentication enable default group tacacs+ local</STRONG></P><P>Did that line work ok on your switch / router config?</P><P></P><P>regards,</P><P>Kevin</P></BODY></HTML> Wed, 20 Apr 2011 15:40:38 GMT https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720971#M238861 ohareka70 2011-04-20T15:40:38Z https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720972#M238862 <HTML><HEAD></HEAD><BODY><P>Hi Kevin,</P><P></P><P>My apologizes.. the command you have is correct . The local option is not present for enable authentication.</P><P></P><P>hope this helps.</P><P></P><P>Regards,</P><P>Anisha</P></BODY></HTML> Wed, 20 Apr 2011 16:27:10 GMT https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720972#M238862 andamani 2011-04-20T16:27:10Z https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720973#M238865 <HTML><HEAD></HEAD><BODY><P>Happy enough now that i have a config that will do the job.</P><P></P><P>thanks</P><P>Kevin</P></BODY></HTML> Thu, 21 Apr 2011 08:40:31 GMT https://community.cisco.com/t5/network-access-control/local-username-and-password-if-acs-server-fails/m-p/1720973#M238865 ohareka70 2011-04-21T08:40:31Z