04-06-2017 04:21 AM - edited 03-11-2019 12:36 AM
Hi.I am battling to get my local username and password to login to my routers and switches when tacacs server has been configured already.It doesn't allow you to connect.I need to have this option as to be able to login to the devices when the acs's is down.
Anyone who can assist?
Regards
Pieter
04-06-2017 05:47 PM
Hi Pieter,
You have already configured switches and routers for TACACS authentication.
Did you specify local as fallback when you put authentication command:
"aaa authentication login default group tacacs local".
Can you share your sh running config
Regards
Gagan
rate helpful posts!!!
04-06-2017 11:32 PM
Hi Gagan,
Yes I did specify this command,but local userid does not work.
my aaa config:
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login local group tacacs+
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ none
aaa authorization exec Access group tacacs+ if-authenticated
aaa authorization commands 15 Access group tacacs+ if-authenticated
aaa accounting exec Access start-stop group tacacs+
aaa accounting commands 15 Access start-stop group tacacs+
and on line status:
line con 0
privilege level 15
authorization commands 15 Access
authorization exec Access
accounting commands 15 Access
accounting exec Access
logging synchronous
login authentication if_needed
line aux 0
logging synchronous
no exec
transport preferred none
transport input all
line vty 0 4
exec-timeout 5 0
privilege level 15
authorization commands 15 Access
authorization exec Access
accounting commands 15 Access
accounting exec Access
logging synchronous
exec prompt timestamp
transport input telnet ssh
line vty 5 15
04-07-2017 06:07 AM
as for now,if I remove the ip tacacs source interface and tacacs-server host and key line,then I can log in to the router or switch only.
seems that if the tacacs server is accessable and online you will not be able to use local id and password
04-09-2017 06:09 AM
That's correct.
Fallback to the secondary method list only kicks in when the configured primary method list is not reachable.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: