topic There is default support for in Network Access Control

Configuring AAA fallback to local on Nexus 9k

rpatnaik_slf — Mon, 11 Mar 2019 06:38:40 GMT

To Whom it May Concern,

I've configured the following:

tacacs-server key abcdefg
tacacs-server host x.x.x.x timeout 5
tacacs-server host y.y.y.y timeout 5
aaa group server tacacs+ tacacs
server x.x.x.x
server y.y.y.y
use-vrf management

source-interface mgmt0

aaa authentication login default group tacacs
aaa authorization commands default group tacacs local
aaa accounting default group tacacs

!

username admin password 5 $5$FGFIEN$6.3JWzAkkhZvxNrbd6pB6P6UqFULglpyhgJgwq9WQbA role network-admin
!

What I'm looking at is to ensure that fallback works when TACACS+ is enabled. However, I shouldn't be able to use the "admin" account even when tacacs is working. What am I doing wrong? It seems that "admin" is allowed still with TACACS working.

Cheers,

Rash

Hi,

aydinnmu1 — Tue, 05 Apr 2016 13:52:48 GMT

Hi,

aaa works order of method types.

if no response at one method pass to another method and vice versa.

if fail at one method dont pass another method and reject.

you defined for authentication one method as group tacacs. and if tacacs authentication is failed you take a message authentication fail.

You should add to configuration

aaa authentication login default group tacacs local

or you should define an user in tacacs user that name is admin.

Best regards.

There is default support for

rpatnaik_slf — Thu, 28 Apr 2016 18:19:49 GMT

There is default support for "local". You do not have to specifically identify it. This provided I agree with you to have the "admin" name defined in TACACS. Unfortunately, I do not have access to that server.