Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
119
Views
1
Helpful
3
Replies

SWITCH LOCAL USERS Failed auth when Server ISE is UP

Go to solution
nzangba
Level 1
Level 1

‎06-16-2025 08:01 PM

Hi guys, I'm currently configuring TACACS with ISE and running some integration tests. How do you handle switch access using local credentials? The switch rejects the local credentials as long as ISE is up. In the authentication configuration, I specified aaa authentication login default group TACACS_TEST local.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to nzangba

‎06-16-2025 10:49 PM

Nope - if the IOS AAA succeeds in getting a response from any of the AAA servers in the AAA group, then the local IOS usernames or enable password will never be used.  AAA is regarded as better for security, because it allows centralised control and visibility. If you could get around it by logging in with local creds, then it would end in a catastrophe.

The AAA device admin server (e.g. ISE) can lookup credentials from many resources. such as its own local database, Active Directory, LDAP, ODBC, remote RADIUS servers. That's quite a lot.

View solution in original post

3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎06-16-2025 09:14 PM

That expected behaviour. What's the point of having AAA when you can bypass it with local creds?

Local creds ("local") or the enable password ("enable") are the final parameters of the aaa authentication command and indicate how to handle Authentication when none of the aaa group RADIUS servers respond.

0 Helpful

Go to solution
nzangba
Level 1
Level 1
In response to Arne Bier

‎06-16-2025 09:25 PM

Thanks for your reply. I thought that if the user is not found in the ISE internal database, it would then check the switch’s local database and grant access if the user exists there.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to nzangba

‎06-16-2025 10:49 PM

Nope - if the IOS AAA succeeds in getting a response from any of the AAA servers in the AAA group, then the local IOS usernames or enable password will never be used.  AAA is regarded as better for security, because it allows centralised control and visibility. If you could get around it by logging in with local creds, then it would end in a catastrophe.

The AAA device admin server (e.g. ISE) can lookup credentials from many resources. such as its own local database, Active Directory, LDAP, ODBC, remote RADIUS servers. That's quite a lot.

Customers Also Viewed These Support Documents