06-21-2011 09:13 AM - edited 03-10-2019 06:10 PM
After configuring an ACS and having it up and working on a large number and types of Cisco Switches and Routers. I am faced with this the way it was configured , it should have a fall back to local user and password if it can not reach the ACS mine just keeps looking for the ACS. Can i force a local log in? or is there an issues with my config which is posted below?:
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
!
hostname test_tv
!
enable password ******
!
username admin privilege 15 password 0 line ******
aaa new-model
aaa group server radius rad_eap
!
aaa group server tacacs+ tac_admin
server 10.1.1.120
!
aaa authentication login default group tacacs+ local
aaa authentication login eap_methods group rad_eap
aaa authentication login eap_methods1 group rad_eap1
aaa authentication enable default group tac_admin
aaa authorization exec default group tac_admin group rad_admin
aaa authorization exec tac_admin group tac_admin
aaa authorization commands 0 default group tac_admin
aaa authorization commands 1 default group tac_admin
aaa authorization commands 2 default group tac_admin
aaa authorization commands 3 default group tac_admin
aaa authorization commands 4 default group tac_admin
aaa authorization commands 5 default group tac_admin
aaa authorization commands 6 default group tac_admin
aaa authorization commands 7 default group tac_admin
aaa authorization commands 8 default group tac_admin
aaa authorization commands 9 default group tac_admin
aaa authorization commands 10 default group tac_admin
aaa authorization commands 11 default group tac_admin
aaa authorization commands 12 default group tac_admin
aaa authorization commands 13 default group tac_admin
aaa authorization commands 14 default group tac_admin
aaa authorization commands 15 default group tac_admin
aaa authorization commands 15 tac_admin group tacacs+ none
aaa authorization network tac_admin group tacacs+
aaa accounting exec default start-stop group tac_admin
aaa accounting commands 15 default start-stop group tac_admin
aaa accounting network default start-stop group tac_admin
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
ip subnet-zero
no ip domain-lookup
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
snmp-server engineID local 000000090200000021000000
snmp-server community
snmp-server community
snmp-server host 10.1.1.110 inform version 2c
snmp-server host 10.1.1.110 version 2c
tacacs-server host 10.1.1.120
tacacs-server directed-request
tacacs-server key **********
radius-server source-ports *************
!
control-plane
!
banner motd ^
!
line con 0
password ******
stopbits 1
line vty 0 4
password ******
authorization commands 0 tac_admin
authorization commands 1 tac_admin
authorization commands 2 tac_admin
authorization commands 3 tac_admin
authorization commands 4 tac_admin
authorization commands 5 tac_admin
authorization commands 6 tac_admin
authorization commands 7 tac_admin
authorization commands 8 tac_admin
authorization commands 9 tac_admin
authorization commands 10 tac_admin
authorization commands 11 tac_admin
authorization commands 12 tac_admin
authorization commands 13 tac_admin
authorization commands 14 tac_admin
authorization commands 15 tac_admin
line vty 5 15
password ******
authorization commands 0 tac_admin
authorization commands 1 tac_admin
authorization commands 2 tac_admin
authorization commands 3 tac_admin
authorization commands 4 tac_admin
authorization commands 5 tac_admin
authorization commands 6 tac_admin
authorization commands 7 tac_admin
authorization commands 8 tac_admin
authorization commands 9 tac_admin
authorization commands 10 tac_admin
authorization commands 11 tac_admin
authorization commands 12 tac_admin
authorization commands 13 tac_admin
authorization commands 14 tac_admin
authorization commands 15 tac_admin
!
end
06-21-2011 10:43 AM
Hello Kurt
The command on device shows that primary method is Tacacs and then, local.
aaa authentication login default group tacacs+ local
Is ACS server unreacable from device ? Does it fail on authentication ?
thanks
Devashree
06-22-2011 06:14 AM
The ACS sits on another network and "what if" that link is down. When i have removed the ability to contact the ACS i have no way to log in. I would figured the switch would detect it could not reach the ACS and try local login but that is not happening.
.
06-23-2011 01:00 AM
It should fail over if the ACS is really unreachable.
Can you turn on some debug tacacs and debug aaa ?
06-28-2011 05:54 AM
hi Kurt,
you have ....
aaa authentication login default group tacacs+ local
and then...
aaa authorization exec default group tac_admin group rad_admin
i am thinking this could be the issue, the authorization of exec shell should have a local option at the end in case your tacacs server fails.
06-29-2011 10:40 AM
Please post the below debugs
debug tacacs events / packets / errors
debug aaa
06-30-2011 10:05 AM
It can not reach the ACS ( in this case) so i couldnt log in to get that information
07-06-2011 10:19 AM
adding the local worked i can now get to the command prompt BUT when i type enable it says :
" % error in Authentication" and returns me to the > with nothing to enter.
07-12-2011 06:35 AM
Isn't that because of this line:
aaa authentication enable default group tac_admin
Shouldn't that also fallback to local?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide