02-22-2007 08:22 PM - edited 03-10-2019 03:00 PM
Hi,
I have router that using ACS for its authentication login via telnet (VTY). I put the local as the second method. But whenever the ACS is offline, i can login into the router using any word i type in the username prompt. This is my configuration:
aaa new-model
!
aaa authentication login CMD-LOGIN group tacacs+ local none
!
username cisco321 secret 5 $1$lfUc$Xnf9.emDl.QFRWt/NSEjU0
!
line vty 0 15
login authentication CMD-LOGIN
!
end
Am i missing something in the configuration? why isn't the router use the local username and password as the second method ?
Thanks
02-23-2007 02:40 AM
Hi,
Remove the keyword '' none ''
Try this
no aaa authentication login CMD-LOGIN group tacacs+ local none
aaa authentication login CMD-LOGIN group tacacs+ local
what will happen now the router first will try to auth. via TACACS if its offline will check the local database.
Hope this will resolve your issue.
Regards
02-23-2007 09:14 AM
Suwandy
I believe that the authentication is doing exactly what you have asked it to do. But there is an aspect of local authentication in aaa that is not well understood (I did not understand it for a long time and believe that others do not either). With aaa when we configure local authentication it will prompt for a user name and if one is entered it will check against the locally configured names and passwords. But if the name entered is not found in the config then aaa treats it as a failure of the method and if another method is configured it will use it. Which is what is happening as you describe it. I believe that most of us believe that if the name is not found it would count as a failed attempt and we should be denied access. But it does not count as a failed attempt but as a failed method. You can test this out if you wish: turn on dubug aaa authentication. Then try to login to the router as cisco321 (the configured name) but with a different password. I believe that you will see your attempt refused. Then attempt to login to the router using some different name. I believe that you will see aaa attempt local authentication and then go on to line authentication.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide