https://community.cisco.com/t5/network-access-control/asa-8-0-and-microsoft-isa-local-user-backup/m-p/950543#M391233 <HTML><HEAD></HEAD><BODY><P>On a router, "aaa authentication login default local group tacacs+ " will ALWAYS use the local user DB, never tacacs.</P><P></P><P>"aaa authentication login default group tacacs+ local" will first try tacacs and only if the tacacs server is not responding, use the local DB. Note that if the tacacs DOES respond but rejects the authentication attempt (user does not exist or wrong password), that the router will NOT use the local DB.</P><P></P><P>That said, on pix/asa you can do the same, e.g.:</P><P></P><P>aaa-server TPLUS protocol tacacs+</P><P>aaa-server TPLUS (management) host 10.0.0.1</P><P>aaa authentication telnet console TPLUS LOCAL</P><P></P><P></P><P>hth</P><P>H</P></BODY></HTML> Fri, 14 Mar 2008 11:35:39 GMT Herbert Baerten 2008-03-14T11:35:39Z https://community.cisco.com/t5/network-access-control/asa-8-0-and-microsoft-isa-local-user-backup/m-p/950542#M391232 <P>What is the command so that when the username + password cannot be found in the microsoft isa server, the pix will look at the local database?</P><P></P><P>This command works in the router, but I cannot seem to find the equivlant for the pix.</P><P></P><P>aaa authentication login default local group tacacs+</P><P></P><P>Basically does the pix asa 8.0 support Multiple authorization commands?</P><P></P><P>Thank you very much for your help.</P> Sun, 10 Mar 2019 22:43:12 GMT https://community.cisco.com/t5/network-access-control/asa-8-0-and-microsoft-isa-local-user-backup/m-p/950542#M391232 vtra 2019-03-10T22:43:12Z https://community.cisco.com/t5/network-access-control/asa-8-0-and-microsoft-isa-local-user-backup/m-p/950543#M391233 <HTML><HEAD></HEAD><BODY><P>On a router, "aaa authentication login default local group tacacs+ " will ALWAYS use the local user DB, never tacacs.</P><P></P><P>"aaa authentication login default group tacacs+ local" will first try tacacs and only if the tacacs server is not responding, use the local DB. Note that if the tacacs DOES respond but rejects the authentication attempt (user does not exist or wrong password), that the router will NOT use the local DB.</P><P></P><P>That said, on pix/asa you can do the same, e.g.:</P><P></P><P>aaa-server TPLUS protocol tacacs+</P><P>aaa-server TPLUS (management) host 10.0.0.1</P><P>aaa authentication telnet console TPLUS LOCAL</P><P></P><P></P><P>hth</P><P>H</P></BODY></HTML> Fri, 14 Mar 2008 11:35:39 GMT https://community.cisco.com/t5/network-access-control/asa-8-0-and-microsoft-isa-local-user-backup/m-p/950543#M391233 Herbert Baerten 2008-03-14T11:35:39Z https://community.cisco.com/t5/network-access-control/asa-8-0-and-microsoft-isa-local-user-backup/m-p/950544#M391234 <HTML><HEAD></HEAD><BODY><P>Thank you very much, that helped a lot!</P></BODY></HTML> Thu, 27 Mar 2008 19:06:26 GMT https://community.cisco.com/t5/network-access-control/asa-8-0-and-microsoft-isa-local-user-backup/m-p/950544#M391234 vtra 2008-03-27T19:06:26Z