Re: Slow AAA fallback to local on Catalyst 2960-X console

Erik Szlaur · ‎08-14-2018

Hi,

I have aaa authentication configured for tacacs with fallback to local. Sometimes when switch uplink is down (tacacs unreachable) I can't get into console unless I try between 5-20 times (definitely more time than tacacs server timeout). After hitting a key on console a I get a login banner and after a while new screen with another banner, in between "% Authentication failed" three times in a row. Happened on IOS 15.2(2)E7 and some previous versions with multiple 2960 models (most recently WS-C2960X-24PS-L ).

Does this happen to someone else? Is this misconfiguration or bug? When uplink is down, whole management VLAN is down as well. When the password prompt finally comes up, it usually works immediately after logging out.

Here is my config:

aaa group server tacacs+ TACACS-AAA                                             
 server name TACACS1                                                            
!                         
aaa authentication login VTY_AAA group TACACS-AAA local                         
aaa authentication login CONSOLE_AAA group TACACS-AAA local                     
aaa authentication enable default group TACACS-AAA enable                       
aaa authorization exec VTY-AAA group TACACS-AAA if-authenticated                
aaa authorization commands 1 VTY-AAA group TACACS-AAA if-authenticated          
aaa authorization commands 15 VTY-AAA group TACACS-AAA if-authenticated         
aaa accounting exec default start-stop group TACACS-AAA                         
aaa accounting commands 0 default start-stop group TACACS-AAA                   
aaa accounting commands 1 default start-stop group TACACS-AAA                   
aaa accounting commands 2 default start-stop group TACACS-AAA                   
aaa accounting commands 3 default start-stop group TACACS-AAA                   
aaa accounting commands 4 default start-stop group TACACS-AAA                   
aaa accounting commands 5 default start-stop group TACACS-AAA                   
aaa accounting commands 6 default start-stop group TACACS-AAA                   
aaa accounting commands 7 default start-stop group TACACS-AAA                   
aaa accounting commands 8 default start-stop group TACACS-AAA                   
aaa accounting commands 9 default start-stop group TACACS-AAA                   
aaa accounting commands 10 default start-stop group TACACS-AAA                  
aaa accounting commands 11 default start-stop group TACACS-AAA                  
aaa accounting commands 12 default start-stop group TACACS-AAA                  
aaa accounting commands 13 default start-stop group TACACS-AAA                  
aaa accounting commands 14 default start-stop group TACACS-AAA                  
aaa accounting commands 15 default start-stop group TACACS-AAA                  
aaa accounting system default start-stop group TACACS-AAA
!
tacacs server TACACS1                                                           
 address ipv4 A.B.C.D                                                        
 key 7 <REMOVED>
!
line con 0                                                                      
 exec-timeout 15 0                                                              
 logging synchronous                                                            
 login authentication CONSOLE_AAA

becos · ‎08-14-2018

Hello,

I don't expect that the fact that you have different names configured under group and tacacs server config plays any role in this issue?

aaa group server tacacs+ TACACS-AAA                                             
 server name TACACS1 <--- Here                                                           
!

tacacs server NETSVC1  <--- different here                                                         
 address ipv4 A.B.C.D                                                        
 key 7 <REMOVED>
!

Thanks,

./becos

Erik Szlaur · ‎08-14-2018

Yeah, my bad. I redacted the names and forgot this one :)

But it does not play any role.