05-18-2016 05:25 AM - edited 03-10-2019 11:47 PM
We have the following configuration on our switches:
username xxxxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxx
aaa authentication login default group tacacs+ local enable
aaa authentication login no_tacacs enable
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host 10.1.5.119 key 7 xxxxxx
tacacs-server host 10.6.64.91 key 7 xxxxxx
tacacs-server directed-request
line vty 0 4
exec-timeout 0 0
privilege level 15
password 7 xxxxxxxx
logging synchronous level all
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
password 7 xxxxxxxx
logging synchronous level all
transport input ssh
When our tacacs servers goes down we cannot login with the local account via ssh
Solved! Go to Solution.
05-18-2016 07:49 AM
Donovan,
Try applying the command login authentication default in your vty lines. Since the method list is using default in your command aaa authentication login default group tacacs+ local enable.
Also, it is a good thing to put a time out on the vty lines so that remote sessions when idle are automatically logged out. It happened in the past, wherein suddenly a switch refused to accept a telnet or ssh connection because all the vty lines(0-15) have user(s) logged in.
HTH.
***If you find the comment helpful, please rate and mark it correct. Thanks***
05-18-2016 07:49 AM
Donovan,
Try applying the command login authentication default in your vty lines. Since the method list is using default in your command aaa authentication login default group tacacs+ local enable.
Also, it is a good thing to put a time out on the vty lines so that remote sessions when idle are automatically logged out. It happened in the past, wherein suddenly a switch refused to accept a telnet or ssh connection because all the vty lines(0-15) have user(s) logged in.
HTH.
***If you find the comment helpful, please rate and mark it correct. Thanks***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide