AAA Tacacs+ and local database

hash2k2 · ‎11-29-2018

Hey there,

does a solution exist for using AAA authentication Tacacs+ and local database simultaneously?

We have added a router to a dmvpn infrastructure and used the template provided by the dmvpn hub. This includes AAA Tacacs+ authentication.

We have a line like: aaa authentication login TEST group tacacs+ local

As I understand this command right, the local database will be only used, if the authentication Tacacs+ server can not be reached?

Am I right?

Can I use line vty 0 4 for local authentication and line vty 5 15 for aaa ?

Seb Rupik · ‎11-29-2018

HI there,

Yes you are right on both counts.

Regarding the VTY lines, create two separate aaa methods using different users stores and reference them under the vty config blocks.

 !
aaa authentication login TEST group tacacs+ local
aaa authentication login LOCAL local
!
line vty 0 4
  login authentication TEST
!
line vty 5 15
  login authentication LOCAL
!

Cheers,

Seb.

Richard Burts · ‎11-30-2018

The original poster asks what appears to be a simple question (which may not be as simple as it appears) and Seb has provided exactly the correct answer to that question. So +5 for that. Using that configuration you would authenticate using tacacs with fallback to local if you access vty 0 through 4 and would authenticate using only local if you access vty 5 through 15. But how to get to vty 5 15 when you access the device?

A potential solution would be to specify on one group of vty access using only SSH and specify on the other group access using only telnet. If you do that then you choose your authentication method when you choose to access using SSH or using telnet. I hesitate to suggest something like this on a live network since you are forcing one group of users to use a less secure method of access.

HTH

Rick

HTH

Rick