topic There is no special config on in Network Access Control

aaa fallback issue to local database

m.reay — Mon, 11 Mar 2019 06:42:00 GMT

!
!
username Fred privilege 15 password xxxxxxxxxxx
!
!
aaa new-model
!
!
aaa group server tacacs+ TacacsSvrGP1
server-private 192.168.1.1
server-private 192.168.1.2

!
aaa authentication login default group TacacsSvrGP1 local
aaa authentication enable default group TacacsSvrGP1 enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
aaa session-id common

tacacs-server host 192.168.1.1 timeout 5
tacacs-server host 192.168.1.2 timeout 5
tacacs-server directed-request
tacacs-server key 7 xxxxxxxxxx
!

I applied the above configuration to a Cisco 3850 switch not connected to the network.

Because the switch could not contact the tacacs server I was expecting a prompt to allow me to login as Fred to using authentication via the local database, however I experienced the following:

When accessing via con 0 using a terminal emulator - the screen looped between the message of the day banner and the "Press Enter to proceed" message.
The Username/Password prompts failed to appear and I was unable to log into the device.

At the same time I received a "Network error: Connection refused" message - again no Username/Password prompts when attempting SSH access.

Reducing the tacacs timeout to 3 seconds did present the Username/Password prompts however access was extremely erratic - with a 60
second delay between prompts being displayed.

This behaviour was the same using both Putty and Hyperterminal.

Also the issue was intermittent ie after a certain period of time I was able to login, however after a further period of time the
problem reappeared.

I initially thought the problem was peculiar to the 3850, however I also saw it on a Cisco 2960.

It appears that there is an issue with failing back to the local database when there is no tacacs server available.

It is conceivable that once the devices are connected to the network, they will be able to connect to tacacs and access to the switches will occur, however I am concerned that if the tacacs servers are unreachable, no one will be able to access the devices with a local account in order to carry out configuration or troubleshooting.

Has anyone come across this issue?

Have you set a deadtime for

jan.nielsen — Fri, 22 Apr 2016 17:28:47 GMT

Have you set a deadtime for the tacacs server ? Otherwise the switch will just try to use it again, straight after it has determined that the tacacs server is down.

With 3 seconds timeout and 3

Jatin Katyal — Sat, 23 Apr 2016 07:45:35 GMT

With 3 seconds timeout and 3 retries, the max delay you should see is 18 seconds - 9 seconds delay per server. Did you try to run 'debug tacacs' and 'debug aaa authentication' to understand why it's taking 60 seconds to prompt you a username / password. Do we have any special config on line con 0 ?

Regards,

Jatin

Do rate helpful posts !

There is no special config on

m.reay — Mon, 25 Apr 2016 07:50:56 GMT

There is no special config on line con 0.

The tacacs server timeout is set to 5 seconds as below:

tacacs-server host 192.168.1.1 timeout 5
tacacs-server host 192.168.1.2 timeout 5

I was not able to login therefore was not able to turn on debugging.

Tacacs timeout is as below:

m.reay — Mon, 25 Apr 2016 07:51:42 GMT

Tacacs timeout is as below:

tacacs-server host 192.168.1.1 timeout 5
tacacs-server host 192.168.1.2 timeout 5

Hello,I don't know if that

Maximilian Usinger — Mon, 25 Apr 2016 12:32:59 GMT

Hello,

I don't know if that helps, but try adding

aaa authorization config-commands
aaa authorization exec default group TacacsSvrGP1 local
aaa authorization commands 0 default local group TacacsSvrGP1
aaa authorization commands 1 default local group TacacsSvrGP1
aaa authorization commands 15 default local group TacacsSvrGP1

or a variation of this to your config.

I think you are missing authorization options in your config, so the system doesn't know what the user you try to login is allowed to do.