https://community.cisco.com/t5/network-access-control/if-acs-server-down-no-local-authentication/m-p/963384#M401542 <HTML><HEAD></HEAD><BODY><P>Jason</P><P></P><P>I believe that I have been bitten by this issue before myself. I believe that if you look carefully when you attempt to login and the TACACS servers are not available, that the error message that you get is authorization failure where we would generally expect to see authentication failure.</P><P></P><P>I believe that the issue is in your configuration of aaa authorization. You currently have this configured:</P><P>aaa authorization exec default group tacacs+ local </P><P></P><P>I would suggest that you change it to this:</P><P>aaa authorization exec default group tacacs+ if-authenticated</P><P></P><P>Give it a try and let us know if it works better.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Sun, 22 Jun 2008 14:26:10 GMT Richard Burts 2008-06-22T14:26:10Z https://community.cisco.com/t5/network-access-control/if-acs-server-down-no-local-authentication/m-p/963382#M401540 <P>noticed when my two tacacs servers are unreachable I can not login withlocal username, after the tacacs-server timeout (5 sec each) shouldn't it lookat local username admin? </P><P></P><P>(changed hostnames/keys for security) </P><P>username adminprivilege 15 secret 5 &lt;removed&gt; </P><P></P><P>old</P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authorization exec default group tacacs+ local</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>!</P><P>tacacs-server host 10.10.0.10 key 7096F5C090B16291319</P><P>tacacs-server host 10.10.0.56 key 7096F5C090B16291319</P><P>tacacs-server directed-request</P> Sun, 10 Mar 2019 22:54:26 GMT https://community.cisco.com/t5/network-access-control/if-acs-server-down-no-local-authentication/m-p/963382#M401540 Jason Aarons 2019-03-10T22:54:26Z https://community.cisco.com/t5/network-access-control/if-acs-server-down-no-local-authentication/m-p/963383#M401541 <HTML><HEAD></HEAD><BODY><P>Check the following:</P><P></P><P>1) username adminprivilege 15 secret 5 <REMOVED></REMOVED></P><P></P><P>username admin privilege 15 secret 5 <REMOVED></REMOVED></P><P></P><P>2) Make sure both AAA servers are unreachable, a good way is the 'test aaa' command.</P><P></P><P>3) Check the following debugs, and if possible post here:</P><P></P><P>debug aaa authentication</P><P>debuga aa authorization</P><P></P><P>Are you logging via console or VTY?</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Mon, 16 Jun 2008 04:24:49 GMT https://community.cisco.com/t5/network-access-control/if-acs-server-down-no-local-authentication/m-p/963383#M401541 Farrukh Haroon 2008-06-16T04:24:49Z https://community.cisco.com/t5/network-access-control/if-acs-server-down-no-local-authentication/m-p/963384#M401542 <HTML><HEAD></HEAD><BODY><P>Jason</P><P></P><P>I believe that I have been bitten by this issue before myself. I believe that if you look carefully when you attempt to login and the TACACS servers are not available, that the error message that you get is authorization failure where we would generally expect to see authentication failure.</P><P></P><P>I believe that the issue is in your configuration of aaa authorization. You currently have this configured:</P><P>aaa authorization exec default group tacacs+ local </P><P></P><P>I would suggest that you change it to this:</P><P>aaa authorization exec default group tacacs+ if-authenticated</P><P></P><P>Give it a try and let us know if it works better.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Sun, 22 Jun 2008 14:26:10 GMT https://community.cisco.com/t5/network-access-control/if-acs-server-down-no-local-authentication/m-p/963384#M401542 Richard Burts 2008-06-22T14:26:10Z