topic Looks like NX-OS will not in Network Access Control

Failover to local login when TACACS is reachable but not authenticating

101100101 — Mon, 11 Mar 2019 00:49:39 GMT

Hello, I'm confident I already know the answer to this question but I want to be sure.

I am moving a large number of Cisco devices to a new TACACS server, is there anything that can be done to allow local login if the new TACACS server is reachable but not authenticating for some reason? For example if the Cisco source IP is not built correctly into the server or the key is not configured properly on the device; in these situations the server is reachable but will not provide authentication.

I already have AAA authentication set similar to the following:

Router1(config)#aaa authentication login default group tacacs+ line

This will allow me to use line authentication if the tacacs server is not reachable but not if the server is reachable and not authenticating properly.

Any ideas on how/if I can failover to local login for the example situation I provided above?

Re: Failover to local login when TACACS is reachable but not aut

andamani — Tue, 15 Feb 2011 15:55:08 GMT

hi,

if the tacacs server is reachable and not authentication for some reason, then no fallback will be kicked even if the configuration is

aaa authentication login default group tacacs+ line.

i don't think there is anyway to force a fallback of authentication server when the primary aaa server is reachable.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved.

Failover to local login when TACACS is reachable but not authent

adsyparker — Thu, 05 Jan 2012 17:46:22 GMT

I know this topic is old, but your workaround would be to make the TACACS server unreachable to that device.

You could do this through policy routing. Route the TACACS servers host address to Null0 based on a source IP of the tacacs source-interface.

Failover to local login when TACACS is reachable but not authent

camejia — Thu, 05 Jan 2012 18:38:28 GMT

Hello,

If you configure the following command:

aaa authentication login default local group tacacs+

If you input "local" argument on the command before the "group tacacs+" you should be able to access the IOS device with both Local Username/Password and TACACS+ Username/Password even when the TACACS+ server is up and running.

The above behavior can only be triggered when using LOCAL IOS database and then TACACS+. If you input "line" before "group tacacs+" the IOS will only ask for the LINE password when authenticating. It will only ask for TACACS+ credentials if the "line vty 0 15" has no password configured.

Hope this helps.

Regards.

Is this a true solution to

Steven Williams — Sat, 02 Aug 2014 14:31:26 GMT

Is this a true solution to allow local authentication when ACS is reachable? We have a need for local authentication so that an application can login using local username and password and change the password for the local username for security compliance.

Hi Steve, You can try the

minkumar — Mon, 04 Aug 2014 05:51:56 GMT

Hi Steve,

You can try the following command:

aaa authentication login default local group tacacs+

This means it will try to authenticate using local credentials first then Tacacs. so you will be able to access IOS regardless of Tacacs server being reachble or not.

However, The above behavior can only be triggered when using LOCAL IOS database and then TACACS+. If you input "line" before "group tacacs+" the IOS will only ask for the LINE password when authenticating. It will only ask for TACACS+ credentials if the "line vty 0 15" has no password configured

Looks like NX-OS will not

Steven Williams — Tue, 05 Aug 2014 13:50:21 GMT

Looks like NX-OS will not allow me to do this.

Nexus001(config)# aaa authentication login default local group TACACS
^
% Invalid command at '^' marker.
Nexus001(config)# aaa authentication login default local ?
<CR>

Nexus001(config)# aaa authentication login ?
ascii-authentication Enable ascii authentication
chap                  CHAP authentication for login
console               Configure console methods
default               Configure default methods
error-enable          Enable display of error message on login failures
mschap                MSCHAP authentication for login
mschapv2              MSCHAP V2 authentication for login

Nexus001(config)# aaa authentication login default ?
fallback Configure fallback behavior
group     Specify server groups
local     Use local username authentication
none      No authentication

Nexus001(config)# aaa authentication login default local ?
<CR>

Hi Steve, Thats seems to be

minkumar — Wed, 06 Aug 2014 03:46:42 GMT

Hi Steve,

Thats seems to be not possible with Nexus,I thought you were using IOS.

You can follow the below document and see if that helps:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_aaa.html#wp1259788

Cheers!!

Minakshi(Rate the helpful posts)