cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

34518
Views
5
Helpful
7
Replies
Highlighted
Beginner

Failover to local login when TACACS is reachable but not authenticating

Hello, I'm confident I already know the answer to this question but I want to be sure.

I am moving a large number of Cisco devices to a new TACACS server, is there anything that can be done to allow local login if the new TACACS server is reachable but not authenticating for some reason? For example if the Cisco source IP is not built correctly into the server or the key is not configured properly on the device; in these situations the server is reachable but will not provide authentication.

I already have AAA authentication set similar to the following:

Router1(config)#aaa authentication login default group tacacs+ line

This will allow me to use line authentication if the tacacs server is not reachable but not if the server is reachable and not authenticating properly.

Any ideas on how/if I can failover to local login for the example situation I provided above?

7 REPLIES 7
Highlighted
Cisco Employee

Re: Failover to local login when TACACS is reachable but not aut

hi,

if the tacacs server is reachable and not authentication for some reason, then no fallback will be kicked even if the configuration is

aaa authentication login default group tacacs+ line.

i don't think there is anyway to force a fallback of authentication server when the primary aaa server is reachable.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved.

Highlighted
Enthusiast

Is this a true solution to

Is this a true solution to allow local authentication when ACS is reachable? We have a need for local authentication so that an application can login using local username and password and change the password for the local username for security compliance.

Highlighted
Beginner

Hi Steve,   You can try the

Hi Steve,

 

  You can try the following command:

aaa authentication login default local group tacacs+

 

This means it will try to authenticate using local credentials first then Tacacs. so you will be able to access IOS regardless of Tacacs server being reachble or not.

 

However, The above behavior can only be triggered when using LOCAL IOS database and then TACACS+. If you input "line" before "group tacacs+" the IOS will only ask for the LINE password when authenticating. It will only ask for TACACS+ credentials if the "line vty 0 15" has no password configured

Highlighted
Enthusiast

Looks like NX-OS will not

Looks like NX-OS will not allow me to do this.

 

Nexus001(config)# aaa authentication login default local group TACACS
                                                                  ^
% Invalid command at '^' marker.
Nexus001(config)# aaa authentication login default local ?
  <CR> 

Nexus001(config)# aaa authentication login ?
  ascii-authentication  Enable ascii authentication
  chap                  CHAP authentication for login
  console               Configure console methods
  default               Configure default methods
  error-enable          Enable display of error message on login failures
  mschap                MSCHAP authentication for login
  mschapv2              MSCHAP V2 authentication for login

Nexus001(config)# aaa authentication login default ?
  fallback  Configure fallback behavior
  group     Specify server groups
  local     Use local username authentication
  none      No authentication

Nexus001(config)# aaa authentication login default local ?
  <CR> 

 

Highlighted
Beginner

Hi Steve,   Thats seems to be

Hi Steve,

 

  Thats seems to be not possible with Nexus,I thought you were using IOS.

 

You can follow the below document and see if that helps:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_aaa.html#wp1259788

Cheers!!

Minakshi(Rate the helpful posts)

Highlighted
Beginner

Failover to local login when TACACS is reachable but not authent

I know this topic is old, but your workaround would be to make the TACACS server unreachable to that device.

You could do this through policy routing.  Route the TACACS servers host address to Null0 based on a source IP of the tacacs source-interface.

Highlighted
Participant

Failover to local login when TACACS is reachable but not authent

Hello,

If you configure the following command:

aaa authentication login default local group tacacs+

If you input "local" argument on the command before the "group tacacs+" you should be able to access the IOS device with both Local Username/Password and TACACS+ Username/Password even when the TACACS+ server is up and running.

The above behavior can only be triggered when using LOCAL IOS database and then TACACS+. If you input "line" before "group tacacs+" the IOS will only ask for the LINE password when authenticating. It will only ask for TACACS+ credentials if the "line vty 0 15" has no password configured.

Hope this helps.

Regards.