cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
43581
Views
5
Helpful
7
Replies

Failover to local login when TACACS is reachable but not authenticating

101100101
Level 1
Level 1

Hello, I'm confident I already know the answer to this question but I want to be sure.

I am moving a large number of Cisco devices to a new TACACS server, is there anything that can be done to allow local login if the new TACACS server is reachable but not authenticating for some reason? For example if the Cisco source IP is not built correctly into the server or the key is not configured properly on the device; in these situations the server is reachable but will not provide authentication.

I already have AAA authentication set similar to the following:

Router1(config)#aaa authentication login default group tacacs+ line

This will allow me to use line authentication if the tacacs server is not reachable but not if the server is reachable and not authenticating properly.

Any ideas on how/if I can failover to local login for the example situation I provided above?

7 Replies 7

andamani
Cisco Employee
Cisco Employee

hi,

if the tacacs server is reachable and not authentication for some reason, then no fallback will be kicked even if the configuration is

aaa authentication login default group tacacs+ line.

i don't think there is anyway to force a fallback of authentication server when the primary aaa server is reachable.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved.

Is this a true solution to allow local authentication when ACS is reachable? We have a need for local authentication so that an application can login using local username and password and change the password for the local username for security compliance.

Hi Steve,

 

  You can try the following command:

aaa authentication login default local group tacacs+

 

This means it will try to authenticate using local credentials first then Tacacs. so you will be able to access IOS regardless of Tacacs server being reachble or not.

 

However, The above behavior can only be triggered when using LOCAL IOS database and then TACACS+. If you input "line" before "group tacacs+" the IOS will only ask for the LINE password when authenticating. It will only ask for TACACS+ credentials if the "line vty 0 15" has no password configured

Looks like NX-OS will not allow me to do this.

 

Nexus001(config)# aaa authentication login default local group TACACS
                                                                  ^
% Invalid command at '^' marker.
Nexus001(config)# aaa authentication login default local ?
  <CR> 

Nexus001(config)# aaa authentication login ?
  ascii-authentication  Enable ascii authentication
  chap                  CHAP authentication for login
  console               Configure console methods
  default               Configure default methods
  error-enable          Enable display of error message on login failures
  mschap                MSCHAP authentication for login
  mschapv2              MSCHAP V2 authentication for login

Nexus001(config)# aaa authentication login default ?
  fallback  Configure fallback behavior
  group     Specify server groups
  local     Use local username authentication
  none      No authentication

Nexus001(config)# aaa authentication login default local ?
  <CR> 

 

Hi Steve,

 

  Thats seems to be not possible with Nexus,I thought you were using IOS.

 

You can follow the below document and see if that helps:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_aaa.html#wp1259788

Cheers!!

Minakshi(Rate the helpful posts)

adsyparker
Level 1
Level 1

I know this topic is old, but your workaround would be to make the TACACS server unreachable to that device.

You could do this through policy routing.  Route the TACACS servers host address to Null0 based on a source IP of the tacacs source-interface.

Hello,

If you configure the following command:

aaa authentication login default local group tacacs+

If you input "local" argument on the command before the "group tacacs+" you should be able to access the IOS device with both Local Username/Password and TACACS+ Username/Password even when the TACACS+ server is up and running.

The above behavior can only be triggered when using LOCAL IOS database and then TACACS+. If you input "line" before "group tacacs+" the IOS will only ask for the LINE password when authenticating. It will only ask for TACACS+ credentials if the "line vty 0 15" has no password configured.

Hope this helps.

Regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: