04-04-2016 02:30 PM - edited 03-10-2019 11:38 PM
To Whom it May Concern,
I've configured the following:
!
tacacs-server key abcdefg
tacacs-server host x.x.x.x timeout 5
tacacs-server host y.y.y.y timeout 5
aaa group server tacacs+ tacacs
server x.x.x.x
server y.y.y.y
use-vrf management
source-interface mgmt0
!
aaa authentication login default group tacacs
aaa authorization commands default group tacacs local
aaa accounting default group tacacs
!
username admin password 5 $5$FGFIEN$6.3JWzAkkhZvxNrbd6pB6P6UqFULglpyhgJgwq9WQbA role network-admin
!
What I'm looking at is to ensure that fallback works when TACACS+ is enabled. However, I shouldn't be able to use the "admin" account even when tacacs is working. What am I doing wrong? It seems that "admin" is allowed still with TACACS working.
Cheers,
Rash
04-05-2016 06:52 AM
Hi,
aaa works order of method types.
if no response at one method pass to another method and vice versa.
if fail at one method dont pass another method and reject.
you defined for authentication one method as group tacacs. and if tacacs authentication is failed you take a message authentication fail.
You should add to configuration
aaa authentication login default group tacacs local
or you should define an user in tacacs user that name is admin.
Best regards.
04-28-2016 11:19 AM
There is default support for "local". You do not have to specifically identify it. This provided I agree with you to have the "admin" name defined in TACACS. Unfortunately, I do not have access to that server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide