Hi All,

Have run into a couple issues with a client who we are doing some remote switch refreshes with.  I build the config on a terminal server and then they pop it into the rack.  Both times we've had issues with local user access.  For whatever reason, we've had AAA issues where TACACS creds weren't working, so we tried to fall back to the local user and those passwords weren't being accepted either, through both console and SSH

Here's the AAA config

aaa authentication login default group tacacs+ local
aaa authentication login console local-case line
aaa authentication enable default group tacacs+ enable
aaa authorization exec default local group tacacs+
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

Leaving out the accounting (which I don't think relates to this issue), my understanding of the first 3 lines is that if you're connecting from SSH or Telnet, it will check the TACACS server first, and if the user isn't found there, then it will fail down to local.  If you're connecting to console, it should use the local password regardless, and if you're enabling, it will check tacacs for the enable password and then fall back to local.

Is this correct?  The most recent reason that TACACS wasn't working was because I forgot to put the tacacs server into the config so it could not reach out.  In that case, it should have reverted to local, correct?

Would be helpful to understand exactly how AAA works from a failure perspective

Thanks,
Joel