https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531404#M263533 <HTML><HEAD></HEAD><BODY><P>1. in "User setup", check "Advanced TACACS+ Settings", there should be an option for where to check "enable" password.</P><P></P><P>2. System will use local database only if the configured TACACS+ server is not responding to authentication request. Run some debug to see if it is the case.</P></BODY></HTML> Thu, 28 Oct 2010 15:17:56 GMT Yudong Wu 2010-10-28T15:17:56Z https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531403#M263532 <P>Here is the config I have on a switch:</P><P></P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication login vtylogin group tacacs+ local</P><P>aaa authentication login conlogin group tacacs+ enable none</P><P>aaa authentication enable default tacacs+ enable</P><P></P><P>Now here are my issues:</P><P></P><P>1- When I login from console my login from Tacacs works, but when I type "enable" and try to use my Active Directory password it does not work.&nbsp; Then I try the enable password, it does not work.&nbsp; However if I change the 4th Line to "aaa authentication enable default enable", I can proceed using the enable password.</P><P></P><P>2- My second issue is when I SSH into the switch, I only want it to use the tacacs server and only use local database when the tacacs is not available.&nbsp; However even when tacacs is available I am still able to log into it using the local user account.&nbsp; I am assuming that is by design?&nbsp; Is there a way to stop that if it is not by design?</P><P></P><P></P><P></P><TABLE border="0" cellpadding="0" cellspacing="0" style="width: 455px; height: 61px;"><COL style="width: 341pt;" width="455" /> <TBODY><TR style="height: 15pt;"></TR><TR style="height: 15pt;"><TD class="xl64" height="20" style="height: 15pt; border-top: medium none;"></TD></TR><TR style="height: 15pt;"></TR></TBODY></TABLE> Mon, 11 Mar 2019 00:31:35 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531403#M263532 ALIAOF_ 2019-03-11T00:31:35Z https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531404#M263533 <HTML><HEAD></HEAD><BODY><P>1. in "User setup", check "Advanced TACACS+ Settings", there should be an option for where to check "enable" password.</P><P></P><P>2. System will use local database only if the configured TACACS+ server is not responding to authentication request. Run some debug to see if it is the case.</P></BODY></HTML> Thu, 28 Oct 2010 15:17:56 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531404#M263533 Yudong Wu 2010-10-28T15:17:56Z https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531405#M263534 <HTML><HEAD></HEAD><BODY><P>Thank you for the reply, I will check on the first setting.&nbsp; However for the seconnd part, system is using the local database but it is using it even if tacacs is available.&nbsp; I do not want the system to be able to use the local database if tacacs is availble.&nbsp; So basically I can login using the Active Directory account as well as the local database.</P></BODY></HTML> Thu, 28 Oct 2010 15:32:40 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531405#M263534 ALIAOF_ 2010-10-28T15:32:40Z https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531406#M263535 <HTML><HEAD></HEAD><BODY><P>It will only use local database if tacacs+ server is unavailable.</P><P>do a debug aaa authentication to be sure it isn't using tacacs+.</P></BODY></HTML> Thu, 28 Oct 2010 19:48:37 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531406#M263535 cadet alain 2010-10-28T19:48:37Z https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531407#M263536 <HTML><HEAD></HEAD><BODY><P>I know that but I do not want it to use the local database if tacacs is available.</P></BODY></HTML> Mon, 01 Nov 2010 12:56:50 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531407#M263536 ALIAOF_ 2010-11-01T12:56:50Z https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531408#M263537 <HTML><HEAD></HEAD><BODY><P>But it won't use you local database unless your tacacs+ server is unavailable so I really don't see the problem.</P><P>If the router uses your local database to authenticate then there is a communication problem with your tacacs+ server so he is using the next method listed in your command which is local database. As I said before do a debug aaa authentication and you will see the router is attempting to communicate with the tacacs+ server and only if it times out then is he going to use an alternative method if it is listed in method list.</P></BODY></HTML> Mon, 01 Nov 2010 18:07:24 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531408#M263537 cadet alain 2010-11-01T18:07:24Z https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531409#M263538 <HTML><HEAD></HEAD><BODY><P>Ok let me try to explain this agagin:</P><P></P><P>1- There is no communication problem as I can login using tacacs without any problems.&nbsp; If I remove the "local" keyword from the line and only leave tacacs+ it works and even if I leave "local" after tacacs+ it still works.</P><P>2- However at the same time I can also use the local account to login. </P><P>3- I have looked at the debug and tacacs authentication works fine.</P></BODY></HTML> Mon, 01 Nov 2010 18:37:50 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531409#M263538 ALIAOF_ 2010-11-01T18:37:50Z https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531410#M263539 <HTML><HEAD></HEAD><BODY><P>When you use the local user account to login to device, can you check if you can see the log in "passed authentication attemp" on ACS box? If yes, could you please check your ACS local user DB to see it the same account was created by a mistaken?</P></BODY></HTML> Mon, 01 Nov 2010 19:10:46 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531410#M263539 Yudong Wu 2010-11-01T19:10:46Z https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531411#M263540 <HTML><HEAD></HEAD><BODY><P>Thank you, that was the issue I still don't have access to the ACS yet since I'm new so I asked one of my co workers to check and yup local account was defined in the ACS, after disabling it, it works now.</P></BODY></HTML> Mon, 01 Nov 2010 19:31:53 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531411#M263540 ALIAOF_ 2010-11-01T19:31:53Z https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531412#M263541 <HTML><HEAD></HEAD><BODY><P>I facing same issue, i have dont have same user configured in TACACS as local user but still i am able to login through tacacs by user1 as well locally at te same time by user2.</P><P></P><P>what could be the issue. my ACS version is 4.2.</P></BODY></HTML> Tue, 04 Jan 2011 06:54:00 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531412#M263541 size57 2011-01-04T06:54:00Z https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531413#M263542 <HTML><HEAD></HEAD><BODY><P>Post your AAA and VTY settings if you can.</P></BODY></HTML> Tue, 04 Jan 2011 14:09:29 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-question/m-p/1531413#M263542 ALIAOF_ 2011-01-04T14:09:29Z