Showing results for 
Search instead for 
Did you mean: 

Fallback to local userid

Hi.I am battling to get my local username and password to login to my routers and switches when tacacs server has been configured already.It doesn't allow you to connect.I need to have this option as to be able to login to the devices when the acs's is down.

Anyone who can assist?



4 Replies 4

Gagandeep Singh
Cisco Employee
Cisco Employee

Hi Pieter,

You have already configured switches and routers for TACACS authentication. 

Did you specify local as fallback when you put authentication command:

"aaa authentication login default group tacacs local".

Can you share your sh running config



rate helpful posts!!!

Hi Gagan,

Yes I did specify this command,but local userid does not work.

my aaa config:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login local group tacacs+
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ none
aaa authorization exec Access group tacacs+ if-authenticated
aaa authorization commands 15 Access group tacacs+ if-authenticated
aaa accounting exec Access start-stop group tacacs+
aaa accounting commands 15 Access start-stop group tacacs+

and on line status:

line con 0
 privilege level 15
 authorization commands 15 Access
 authorization exec Access
 accounting commands 15 Access
 accounting exec Access
 logging synchronous
 login authentication if_needed
line aux 0
 logging synchronous
 no exec
 transport preferred none
 transport input all
line vty 0 4
 exec-timeout 5 0
 privilege level 15
 authorization commands 15 Access
 authorization exec Access
 accounting commands 15 Access
 accounting exec Access
 logging synchronous
 exec prompt timestamp
 transport input telnet ssh
line vty 5 15

as for now,if I remove the ip tacacs source interface and tacacs-server host and key line,then I can log in to the router or switch only.

seems that if the tacacs server is accessable and online you will not be able to use local id and password

That's correct.

Fallback to the secondary method list only kicks in when the configured primary method list is not reachable.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers