Re: Local authentication on Catos when tacacs fails

shawn.stone · ‎10-07-2004

I want to set up my switches to authenticate locally when tacacs fails (I have succeeded in doing this with the routers). I have gotten the switch to fail over to local without a problem.

However, it is not asking for the standard login password. It is asking for a username. I have never configured a username on the switch. It is running catos 5.5, and thus does not appear to HAVE a local username fucntion. Does anyone know what I need to do to get it to fail over to the login and enable passwords? If I configure it on anything greater than 7.5.1, i know how to fix that. How do I fix the older devices without upgrading (many of these can't be upgraded, but are necessary on my network).

Here are the two lines of code that I think are pertinent... if more is needed let me know.

set authentication login tacacs enable telnet primary

set authentication login local enable telnet

Thanks in advance!

scottosan · ‎10-08-2004

Your config looks good.

http://www.cisco.com/en/US/tech/tk583/tk642/technologies_tech_note09186a0080094ea4.shtml

Make sure there is a back door into the switch if the server is down by issuing the following command:

set authentication login local enable.

Enable TACACS+ authentication by issuing the following command:

set authentication login tacacs enable.

Define the server by issuing the following command:

set tacacs server #.#.#.#.

Define the server key (This is optional with TACACS+, as it causes switch-to-server data to be encrypted. If used, it must agree with the server.) by issuing the following command:

set tacacs key your_key .

triplecap · ‎10-08-2004

I have tacacs set up the same way on our switches and it does the same thing. If tacacs is unavailable and it prompts for your username, just enter anything and then it will prompt you for the password. At this point you can enter your local password to get in.