topic Yep, also, if you want to in Network Access Control

TACACS+ and local login

David Lee — Wed, 13 Mar 2019 00:44:11 GMT

The basic Summary is that I want to have TACACS+ and local login to the router over the vty lines. So I made the two groups below. Goody obviously is what is going to use TACACS and Console uses the local logins. I split them between 0-4 and 5-15. It seems that whichever one is higher get the first priority for authentication. If I move Console to 0-4, then local users work and TACACS do not. If I have Goody at 0 4, then TACACS works, but local does not. I know I'm probably missing something simple. Having two TACACS servers, I doubt both will ever be down, but in the event I would like Local usernames to work. If I apply an access list to 0 4 and use SSH, and a different access list to 5 15 and use telnet it seems to work that way but doesn't help me if the internet goes down and I am onsite trying to access the router via SSH.

Thanks in advance.

David

aaa authentication login Goody group tacacs+ local
aaa authentication login Console local

line con 0
login authentication Console
line aux 0
line vty 0 4
session-timeout 7
exec-timeout 5 0
login authentication Goody
transport input ssh
line vty 5 15
session-timeout 7
exec-timeout 5 0
login authentication Console
transport input ssh

Hi David-Correct me if I not

nspasov — Fri, 07 Nov 2014 07:34:25 GMT

Hi David-

Correct me if I not understanding this correctly but you want to use TACACS servers for ssh/console type authentication and if they fail, you want the network device to use its local database.

If that is correct then you should not need to split the lines and assign them different authentication lists. The first commend that you have:

aaa authentication login Goody group tacacs+ local

Lists both the tacacs+ and the local database as possible authentication methods. They will be processed in the order they are configured, so the device will:

1. Utilize your TACACS+ servers

2. If the TACACS+ servers become unreachable then the local data base will be used

You can test this by assigning "Goody" to all of your vty lines and then make your TACACS+ servers unavailable. To make that possible you can:

- Reboot the server

- Shutdown the server interface

- Disconnect the network device from its uplink

- Create an access-list on the uplink interface and block connection to the IP addresses of the TACACS+ servers

I hope all of this helps!

Thank you for rating helpful posts!

Neno, That answers one of my

David Lee — Fri, 07 Nov 2014 18:15:40 GMT

Neno,

That answers one of my questions, but now I have another. My ISP wants to have SSH into the router so that they can maintain their IP SLA agreement. They have a local user account on each of my routers that they use for SSH access. Is there a way to have the router look at both TACACS and if its not there then the local user database?

edit- ok. I just found out that if I change the order to

aaa authentication login Goody local group tacacs+

that it will look in the local database first. If the user is not there, it will query the tacacs+ servers.

Yep, also, if you want to

nspasov — Fri, 07 Nov 2014 18:46:22 GMT

Yep, also, if you want to keep track of changes/aaa accounting, you could create a local username/password on your TACACS+ server that your ISP can use