https://community.cisco.com/t5/network-access-control/aaa-order-of-authentication/m-p/518521#M426788 <HTML><HEAD></HEAD><BODY><P>Unfortunately, it doesn't quite work that way. When a method list is used (in your case, the default method list), then it will user the first method in that list. For your config, the attempt will authenticate against the TACACS+ server. If the TACACS+ server is responsive and actually responds with a reject message, the authentication will not fall back to local and fail the user. This is intended behavior. Only when the TACACS+ server is unresponsive or not sending back valid responses will authentication ever fall back to local. </P><P></P><P></P><P>If the local database was being used due to fallback and you wanted to automatically be placed in enable mode, you need to add "local" to your authorization exec so that shell exec privilege is passed:</P><P></P><P>aaa authorization exec default group tacacs+ local if-authenticated</P><P></P><P></P><P>Is there a specific need to have your local user gui_id to be able to authenticate at all times? For best practices, your users should all authenticate to tacacs. Only if tacacs goes down should you need to use the local database as a backdoor in this failure scenario.</P><P></P><P></P><P>Sincerely,</P><P>Annie</P></BODY></HTML> Fri, 28 Jul 2006 16:04:26 GMT annnguy 2006-07-28T16:04:26Z https://community.cisco.com/t5/network-access-control/aaa-order-of-authentication/m-p/518520#M426787 <P>What do I need to modify or add to the following so the locally defined userid gui_id can succeed when logging into this router at all times even if communication with the TACACS+ server is up. (gui_id does not exist in the TACACS+ server). Order of authentication for other defined user ids and the default group should stay the same. Also, if possible, can the user gui_id be automatically enabled when authenticated and how:</P><P></P><P></P><P>enable secret router_enable</P><P>username nst_id privilege 15 password nst_password</P><P>username gui_id privilege 15 password gui_password</P><P>username solv_id privilege 1 password solv_password</P><P>aaa new-model</P><P>aaa authentication username-prompt "Local Username: "</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authorization exec default group tacacs+ if-authenticated</P><P>aaa authorization commands 1 default group tacacs+ if-authenticated</P><P>aaa authorization commands 15 default group tacacs+ if-authenticated</P><P>aaa authorization console </P><P>aaa accounting exec default start-stop tacacs+ </P><P>aaa accounting commands 0 default stop-only tacacs+ </P><P>aaa accounting commands 1 default stop-only tacacs+ </P><P>aaa accounting commands 15 default stop-only tacacs+</P><P>tacacs-server host xxx.xxx.xxx.xxx</P><P>tacacs-server key *******</P><P></P><P></P><P> </P> Sun, 10 Mar 2019 21:40:56 GMT https://community.cisco.com/t5/network-access-control/aaa-order-of-authentication/m-p/518520#M426787 hadbihas 2019-03-10T21:40:56Z https://community.cisco.com/t5/network-access-control/aaa-order-of-authentication/m-p/518521#M426788 <HTML><HEAD></HEAD><BODY><P>Unfortunately, it doesn't quite work that way. When a method list is used (in your case, the default method list), then it will user the first method in that list. For your config, the attempt will authenticate against the TACACS+ server. If the TACACS+ server is responsive and actually responds with a reject message, the authentication will not fall back to local and fail the user. This is intended behavior. Only when the TACACS+ server is unresponsive or not sending back valid responses will authentication ever fall back to local. </P><P></P><P></P><P>If the local database was being used due to fallback and you wanted to automatically be placed in enable mode, you need to add "local" to your authorization exec so that shell exec privilege is passed:</P><P></P><P>aaa authorization exec default group tacacs+ local if-authenticated</P><P></P><P></P><P>Is there a specific need to have your local user gui_id to be able to authenticate at all times? For best practices, your users should all authenticate to tacacs. Only if tacacs goes down should you need to use the local database as a backdoor in this failure scenario.</P><P></P><P></P><P>Sincerely,</P><P>Annie</P></BODY></HTML> Fri, 28 Jul 2006 16:04:26 GMT https://community.cisco.com/t5/network-access-control/aaa-order-of-authentication/m-p/518521#M426788 annnguy 2006-07-28T16:04:26Z