Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1380
Views
5
Helpful
1
Replies

aaa authentication order

SMD28316
Level 1
Level 1

‎05-20-2021 03:09 PM - edited ‎05-20-2021 03:09 PM

When configuring login using aaa on the switch:

aaa authentication login default local group TACACS_SERVER_1 TACACS_SERVER_2

If the user enters the credentials of a user defined locally on the switch, TACACS_SERVER_1 and TACACS_SERVER_2 won't be queried, but if the user was not defined locally, will the switch try TACACS_SERVER_1 then TACACS_SERVER_2? or will it reply with an authentication error?

 

I know that local can be used as a fallback authentication method, I wonder about the authentication flow in the above command.

 

I know that the switch will proceed to try the next TACACS server group if the previous one failed with an error (servers are down, or unreachable), what about local users on the switch? when will local be skipped over to TACACS groups?

0 Helpful
1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

‎05-20-2021 08:05 PM

If the user not available Local only it goes to the next level. you can add TACACS Server Group rather than Servers so it tried to order. if that fails, its time out, it will not go back to Local since there is no user found in the first check

 

below reference  help you :

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/200606-aaa-authentication-login-default-local.html

 

the best practice advised here is TACACS fallback LOCAL.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents