Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3528
Views
0
Helpful
4
Replies

Fallback to local userid

Pieter Johannes Venter
Beginner
Beginner

‎04-06-2017 04:21 AM - edited ‎03-11-2019 12:36 AM

Hi.I am battling to get my local username and password to login to my routers and switches when tacacs server has been configured already.It doesn't allow you to connect.I need to have this option as to be able to login to the devices when the acs's is down.

Anyone who can assist?

Regards

Pieter

Labels:
0 Helpful
4 Replies 4

Gagandeep Singh
Cisco Employee
Cisco Employee

‎04-06-2017 05:47 PM

Hi Pieter,

You have already configured switches and routers for TACACS authentication. 

Did you specify local as fallback when you put authentication command:

"aaa authentication login default group tacacs local".

Can you share your sh running config

Regards

Gagan

rate helpful posts!!!

0 Helpful

Pieter Johannes Venter
Beginner
Beginner
In response to Gagandeep Singh

‎04-06-2017 11:32 PM

Hi Gagan,

Yes I did specify this command,but local userid does not work.

my aaa config:

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login local group tacacs+
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ none
aaa authorization exec Access group tacacs+ if-authenticated
aaa authorization commands 15 Access group tacacs+ if-authenticated
aaa accounting exec Access start-stop group tacacs+
aaa accounting commands 15 Access start-stop group tacacs+

and on line status:

line con 0
 privilege level 15
 authorization commands 15 Access
 authorization exec Access
 accounting commands 15 Access
 accounting exec Access
 logging synchronous
 login authentication if_needed
line aux 0
 logging synchronous
 no exec
 transport preferred none
 transport input all
line vty 0 4
 exec-timeout 5 0
 privilege level 15
 authorization commands 15 Access
 authorization exec Access
 accounting commands 15 Access
 accounting exec Access
 logging synchronous
 exec prompt timestamp
 transport input telnet ssh
line vty 5 15

0 Helpful

Pieter Johannes Venter
Beginner
Beginner
In response to Pieter Johannes Venter

‎04-07-2017 06:07 AM

as for now,if I remove the ip tacacs source interface and tacacs-server host and key line,then I can log in to the router or switch only.

seems that if the tacacs server is accessable and online you will not be able to use local id and password

0 Helpful

Marvin Rhoads
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend
In response to Pieter Johannes Venter

‎04-09-2017 06:09 AM

That's correct.

Fallback to the secondary method list only kicks in when the configured primary method list is not reachable.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents