Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
44875
Views
5
Helpful
7
Replies

Failover to local login when TACACS is reachable but not authenticating

101100101
Level 1
Level 1

‎02-15-2011 06:53 AM - edited ‎03-10-2019 05:49 PM

Hello, I'm confident I already know the answer to this question but I want to be sure.

I am moving a large number of Cisco devices to a new TACACS server, is there anything that can be done to allow local login if the new TACACS server is reachable but not authenticating for some reason? For example if the Cisco source IP is not built correctly into the server or the key is not configured properly on the device; in these situations the server is reachable but will not provide authentication.

I already have AAA authentication set similar to the following:

Router1(config)#aaa authentication login default group tacacs+ line

This will allow me to use line authentication if the tacacs server is not reachable but not if the server is reachable and not authenticating properly.

Any ideas on how/if I can failover to local login for the example situation I provided above?

4 people had this problem
Labels:
0 Helpful
7 Replies 7

andamani
Cisco Employee
Cisco Employee

‎02-15-2011 07:55 AM

hi,

if the tacacs server is reachable and not authentication for some reason, then no fallback will be kicked even if the configuration is

aaa authentication login default group tacacs+ line.

i don't think there is anyway to force a fallback of authentication server when the primary aaa server is reachable.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved.

0 Helpful

Steven Williams
Level 4
Level 4
In response to andamani

‎08-02-2014 07:31 AM

Is this a true solution to allow local authentication when ACS is reachable? We have a need for local authentication so that an application can login using local username and password and change the password for the local username for security compliance.

0 Helpful

minkumar
Level 1
Level 1
In response to Steven Williams

‎08-03-2014 10:51 PM

Hi Steve,

 

  You can try the following command:

aaa authentication login default local group tacacs+

 

This means it will try to authenticate using local credentials first then Tacacs. so you will be able to access IOS regardless of Tacacs server being reachble or not.

 

However, The above behavior can only be triggered when using LOCAL IOS database and then TACACS+. If you input "line" before "group tacacs+" the IOS will only ask for the LINE password when authenticating. It will only ask for TACACS+ credentials if the "line vty 0 15" has no password configured

0 Helpful

Steven Williams
Level 4
Level 4
In response to minkumar

‎08-05-2014 06:50 AM

Looks like NX-OS will not allow me to do this.

 

Nexus001(config)# aaa authentication login default local group TACACS
                                                                  ^
% Invalid command at '^' marker.
Nexus001(config)# aaa authentication login default local ?
  <CR> 

Nexus001(config)# aaa authentication login ?
  ascii-authentication  Enable ascii authentication
  chap                  CHAP authentication for login
  console               Configure console methods
  default               Configure default methods
  error-enable          Enable display of error message on login failures
  mschap                MSCHAP authentication for login
  mschapv2              MSCHAP V2 authentication for login

Nexus001(config)# aaa authentication login default ?
  fallback  Configure fallback behavior
  group     Specify server groups
  local     Use local username authentication
  none      No authentication

Nexus001(config)# aaa authentication login default local ?
  <CR> 

 

0 Helpful

minkumar
Level 1
Level 1
In response to Steven Williams

‎08-05-2014 08:46 PM

Hi Steve,

 

  Thats seems to be not possible with Nexus,I thought you were using IOS.

 

You can follow the below document and see if that helps:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_aaa.html#wp1259788

Cheers!!

Minakshi(Rate the helpful posts)

0 Helpful

adsyparker
Level 1
Level 1

‎01-05-2012 09:46 AM

I know this topic is old, but your workaround would be to make the TACACS server unreachable to that device.

You could do this through policy routing.  Route the TACACS servers host address to Null0 based on a source IP of the tacacs source-interface.

0 Helpful

camejia
Level 3
Level 3
In response to adsyparker

‎01-05-2012 10:38 AM

Hello,

If you configure the following command:

aaa authentication login default local group tacacs+

If you input "local" argument on the command before the "group tacacs+" you should be able to access the IOS device with both Local Username/Password and TACACS+ Username/Password even when the TACACS+ server is up and running.

The above behavior can only be triggered when using LOCAL IOS database and then TACACS+. If you input "line" before "group tacacs+" the IOS will only ask for the LINE password when authenticating. It will only ask for TACACS+ credentials if the "line vty 0 15" has no password configured.

Hope this helps.

Regards.

Customers Also Viewed These Support Documents