AAA, Tacacs and local UN/Pass

msmalik · ‎01-15-2022

\Hi,

So, i have created a local username/password on my switch device and have used " login local" on line vty to gain access to the device.

I also have ISE in my prod environment so i will configuring aaa next.

My question is, to enable Tacacs, along with all aaa authentication i will also have to remove "login local" command from line vty. But if in case, tacacs fails how will i able to login to my device on vty line as i have already removed login local?

Thanks

balaji.bandi · ‎01-16-2022

Most cases we configure fall back authentication if ISE/ TACACS not available - to Local ( that time you can Login with Local Account)

example :

aaa authentication enable default group tacacs+ local

You also can configure it differently on the console port.

you find the examples ( most of them around google: in the short example as below :

https://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/

some suggestions from cisco :

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap2.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎01-16-2022

In the first place it is not correct that you need to remove login local. Things will work ok without removing that command. What happens is that as soon as you configure aaa new-model then login local is ignored. It can stay in the configuration without having any impact. But it is no longer used.

In the second place when you are configuring aaa authentication you are able to configure a primary method (typically tacacs) and to configure a secondary method to be used if the primary is not working (typically might be local ID), and in fact you are able to configure a third method to be used if both the primary and the secondary methods are not working. This is how you are able to login on vty (and console) if tacacs is not working.

HTH

Rick