cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9912
Views
20
Helpful
4
Replies

Local and Tacacs+ authentication

Spaniard141
Level 1
Level 1

Normally use Tacacs+ authentication with an ACS server with fallback to Local if the Tacacs server is not reachable. We have a vendor which needs local access to the router for maintenance purposes and I've been looking for a way to use local authentication 1st and if the account being used to authenticate is not on the local db then use Tacacs+ ... Is this doable? I thought I had found a config a while back and tested it successfully but now I can't find it again....

Thanks

1 Accepted Solution

Accepted Solutions

Since your initial posting I happened to read a book section while studying for my CCIE that may help.

According to "AAA Identity Management Security" Cisco Press book (Chapter 6 - Using AAA section):

The device will use failover methods only when it fails to get a response from the current method. If an authentication failure is received, the device will not failover. The only exception to this rule occurs when the local database is the first option. In such cases, if the username does not exist in the local database, the next configured method is used.

So if you have a local user account but the login attempt instead uses an account from one of the configured subsequent methods in the list, the authentication should try that as well.

I have also done what youasked with ACS. I have setup local unique ACS users to provide authentication in the event of loss of the external AD identitty source.

So theoretically you could have something like:

admin (local only)

admin-acs (ACS-based user via RADIUS or TACACS+ method)

username (AD-based user authenticated from AD via ACS)

View solution in original post

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

I've never seen that done and I'm not sure if that's supported as there will always be a local user so the method list will never fail to the secondary method (TACACS).

I have done a setup where I created local accounts on the TACACS server (Cisco ACS 5.x). I then setup the authentication and authorization so that the user could authenticate with those credentials in lieu of ACS having to rely on the external identity store (Active Directory) and be authorized accordingly.

Can ACS use both AD and also a local ACS account so if a user is not a valid user it will then check against Active directory?

Since your initial posting I happened to read a book section while studying for my CCIE that may help.

According to "AAA Identity Management Security" Cisco Press book (Chapter 6 - Using AAA section):

The device will use failover methods only when it fails to get a response from the current method. If an authentication failure is received, the device will not failover. The only exception to this rule occurs when the local database is the first option. In such cases, if the username does not exist in the local database, the next configured method is used.

So if you have a local user account but the login attempt instead uses an account from one of the configured subsequent methods in the list, the authentication should try that as well.

I have also done what youasked with ACS. I have setup local unique ACS users to provide authentication in the event of loss of the external AD identitty source.

So theoretically you could have something like:

admin (local only)

admin-acs (ACS-based user via RADIUS or TACACS+ method)

username (AD-based user authenticated from AD via ACS)

Thanks, I got this to work with the following config:

aaa authentication login default local group tacacs+

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: