cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

7244
Views
15
Helpful
4
Replies
Highlighted
Beginner

Local and Tacacs+ authentication

Normally use Tacacs+ authentication with an ACS server with fallback to Local if the Tacacs server is not reachable. We have a vendor which needs local access to the router for maintenance purposes and I've been looking for a way to use local authentication 1st and if the account being used to authenticate is not on the local db then use Tacacs+ ... Is this doable? I thought I had found a config a while back and tested it successfully but now I can't find it again....

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Since your initial posting I happened to read a book section while studying for my CCIE that may help.

According to "AAA Identity Management Security" Cisco Press book (Chapter 6 - Using AAA section):

The device will use failover methods only when it fails to get a response from the current method. If an authentication failure is received, the device will not failover. The only exception to this rule occurs when the local database is the first option. In such cases, if the username does not exist in the local database, the next configured method is used.

So if you have a local user account but the login attempt instead uses an account from one of the configured subsequent methods in the list, the authentication should try that as well.

I have also done what youasked with ACS. I have setup local unique ACS users to provide authentication in the event of loss of the external AD identitty source.

So theoretically you could have something like:

admin (local only)

admin-acs (ACS-based user via RADIUS or TACACS+ method)

username (AD-based user authenticated from AD via ACS)

View solution in original post

4 REPLIES 4
Highlighted
Hall of Fame Guru

I've never seen that done and I'm not sure if that's supported as there will always be a local user so the method list will never fail to the secondary method (TACACS).

I have done a setup where I created local accounts on the TACACS server (Cisco ACS 5.x). I then setup the authentication and authorization so that the user could authenticate with those credentials in lieu of ACS having to rely on the external identity store (Active Directory) and be authorized accordingly.

Highlighted

Can ACS use both AD and also a local ACS account so if a user is not a valid user it will then check against Active directory?

Highlighted

Since your initial posting I happened to read a book section while studying for my CCIE that may help.

According to "AAA Identity Management Security" Cisco Press book (Chapter 6 - Using AAA section):

The device will use failover methods only when it fails to get a response from the current method. If an authentication failure is received, the device will not failover. The only exception to this rule occurs when the local database is the first option. In such cases, if the username does not exist in the local database, the next configured method is used.

So if you have a local user account but the login attempt instead uses an account from one of the configured subsequent methods in the list, the authentication should try that as well.

I have also done what youasked with ACS. I have setup local unique ACS users to provide authentication in the event of loss of the external AD identitty source.

So theoretically you could have something like:

admin (local only)

admin-acs (ACS-based user via RADIUS or TACACS+ method)

username (AD-based user authenticated from AD via ACS)

View solution in original post

Highlighted

Thanks, I got this to work with the following config:

aaa authentication login default local group tacacs+