Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
1
Replies

AAA Configuration Misbehaving

Go to solution
Donovan.Esterhuizen
Level 1
Level 1

‎05-18-2016 05:25 AM - edited ‎03-10-2019 11:47 PM

We have the following configuration on our switches:

username xxxxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxx

aaa authentication login default group tacacs+ local enable
aaa authentication login no_tacacs enable
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 10.1.5.119 key 7 xxxxxx
tacacs-server host 10.6.64.91 key 7 xxxxxx
tacacs-server directed-request

line vty 0 4
exec-timeout 0 0
privilege level 15
password 7 xxxxxxxx
logging synchronous level all
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
password 7 xxxxxxxx
logging synchronous level all
transport input ssh

When our tacacs servers goes down we cannot login with the local account via ssh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
agapitca19
Level 1
Level 1

‎05-18-2016 07:49 AM

Donovan,

Try applying the command login authentication default in your vty lines. Since the method list is using default in your command aaa authentication login default group tacacs+ local enable.

Also, it is a good thing to put a time out on the vty lines so that remote sessions when idle are automatically logged out. It happened in the past, wherein suddenly a switch refused to accept a telnet or ssh connection because all the vty lines(0-15) have user(s) logged in.

HTH.

***If you find the comment helpful, please rate and mark it correct. Thanks***

View solution in original post

0 Helpful
1 Reply 1

Go to solution
agapitca19
Level 1
Level 1

‎05-18-2016 07:49 AM

Donovan,

Try applying the command login authentication default in your vty lines. Since the method list is using default in your command aaa authentication login default group tacacs+ local enable.

Also, it is a good thing to put a time out on the vty lines so that remote sessions when idle are automatically logged out. It happened in the past, wherein suddenly a switch refused to accept a telnet or ssh connection because all the vty lines(0-15) have user(s) logged in.

HTH.

***If you find the comment helpful, please rate and mark it correct. Thanks***

0 Helpful
Customers Also Viewed These Support Documents