topic If you have an Cisco ACS 5.x, in Network Access Control

Local login when tacacs is up

billmatthews — Mon, 11 Mar 2019 04:45:22 GMT

I have my switch configured for tacas then local:

aaa authentication login default group MYGROUP local

And that works fine -- I can log in via tacas, and when the servers are down, I can log in via a local account.

However, is it possible to use local if you fail tacacs authentication? For example the servers are up, but rejecting all authentication? I'd like it to check local credentials if it gets an access denied from tacacs.

Thanks

However, is it possible to

edwardcollins7 — Wed, 28 May 2014 15:03:15 GMT

However, is it possible to use local if you fail tacacs authentication?

is not possible, as the server will send an Reject message with failed auth and the device will not fallback to next method in case of reject.

Now, there is still slight catch with Cisco Tacacs+ server, if you have one, I can show you that.

Rate if Useful 🙂

Sharing knowledge makes you Immortal.

Regards,

Not possible unless the

nspasov — Wed, 28 May 2014 18:41:29 GMT

Not possible unless the servers are down/unreachable.

Ed, I am interested to know about the "catch" that you are talking about 🙂 I have a TACACS+ server so pls share!

If you have an Cisco ACS 5.x,

edwardcollins7 — Thu, 29 May 2014 07:01:24 GMT

If you have an Cisco ACS 5.x, if you find a way to push your requests to a particular access service, you can go to the service-->identity and there open up the advanced options.

In there, there is an option to drop the request when the authentication will fail, if you do this.

In case of the authentication failure, instead of a reject, ACS will drop he packet, therefore replicating a "server not responding" scenario.

Eventually, you will fallback to local at the switch side and this will get you what you want.

Rate if Useful 🙂

Sharing knowledge makes you Immortal.

Regards,

mohanak — Thu, 29 May 2014 10:07:01 GMT

Suppose the system administrator has decided on a security solution where all interfaces will use the same authentication methods to authenticate PPP connections. In the RADIUS group, R1 is contacted first for authentication information, then if there is no response, R2 is contacted. If R2 does not respond, T1 in the TACACS+ group is contacted; if T1 does not respond, T2 is contacted. If all designated servers fail to respond, authentication falls to the local username database on the access server itself. To implement this solution, the system administrator would create a default method list by entering the following command:

aaa authentication ppp default group radius group tacacs+ local

In this example, "default" is the name of the method list. The protocols included in this method list are listed after the name, in the order they are to be queried. The default list is automatically applied to all interfaces.

When a remote user attempts to dial in to the network, the network access server first queries R1 for authentication information. If R1 authenticates the user, it issues a PASS response to the network access server and the user is allowed to access the network. If R1 returns a FAIL response, the user is denied access and the session is terminated. If R1 does not respond, then the network access server processes that as an ERROR and queries R2 for authentication information. This pattern would continue through the remaining designated methods until the user is either authenticated or rejected, or until the session is terminated.

It is important to remember that a FAIL response is significantly different from an ERROR. A FAIL means that the user has not met the criteria contained in the applicable authentication database to be successfully authenticated. Authentication ends with a FAIL response. An ERROR means that the security server has not responded to an authentication query. Because of this, no authentication has been attempted. Only when an ERROR is detected will AAA select the next authentication method defined in the authentication method list.

Suppose the system administrator wants to apply a method list only to a particular interface or set of interfaces. In this case, the system administrator creates a named method list and then applies this named list to the applicable interfaces. The following example shows how the system administrator can implement an authentication method that will be applied only to interface 3:

aaa authentication ppp default group radius group tacacs+ local

aaa authentication ppp apple group radius group tacacs+ local none

 interface async 3

 ppp authentication chap apple

In this example, "apple" is the name of the method list, and the protocols included in this method list are listed after the name in the order in which they are to be performed. After the method list has been created, it is applied to the appropriate interface. Note that the method list name (apple) in both the AAA and PPP authentication commands must match. http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathen.html

Great advice, thanks all

billmatthews — Thu, 29 May 2014 14:22:38 GMT

Great advice, thanks all

Pretty cool. Thank you for

nspasov — Thu, 29 May 2014 17:38:41 GMT

Pretty cool. Thank you for sharing! (+5 from me)

Awesome :)

edwardcollins7 — Fri, 30 May 2014 06:57:57 GMT

Awesome 🙂