06-01-2007 03:52 PM
If the router or switch is configured to use TACACS and points to an ACS server, what does the device use for authentication if the ACS is down?
Does it use the local username and enable secret?
06-01-2007 09:19 PM
Depends on what you have configured. For example:
aaa authentication login default group tacacs+ local
Will fallback to local authentication if the AAA server is down. You can have it fallback to the line password, enable password, etc.
06-02-2007 09:13 AM
J,
A couple of questions:
This shows up on the RME home page, under Recently Completed Jobs:
I have a Archive poll job configured along with an Archive update job.
The archive poll runs before the update job.
The Archive update completes successfully on 27 items, but the update job fails with one item being only partially successful.
The reason on the item is:
Error polling for change on Primary Startup Config, not fetching the config.
It is using telnet as the protocol.
Whay would RME not be able to get the startup config if it can get everything else?
This shows up under Collection Status:
Inventory 27 Items
Config Archive:
27 success
0 failed
0 partially successful
4 out of sync
On the out of sync items, if you check them you can select "Sync on Device"
Is this recommended to do?
06-02-2007 09:41 AM
Please start a new thread for this. This has nothing to do with AAA fallback mechanisms.
06-01-2007 11:25 PM
Hi Wilson,
As Joe stated it depends on what you've configured, i strongly recommend that you use "aaa authentication login default group tacacs+ local" to be able to use the local usernames if the TACACS is down, as i've seen many cases that the customers failed to access their routers in critical situations because they have not included the local keyword in the aaa configuration.
HTH, please do rate all helpful replies,
Mohammed Mahmoud.
06-02-2007 07:55 AM
Thanks again guys, I appreciate it.
06-08-2007 07:34 AM
I have th following config:
aaa authentication login default group tacacs+ local
aaa authentication login CON line none
aaa authentication enable default group tacacs+ enable
aaa authentication eou default group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
When tacacs is unavailable and you try to log in, the device asks for a username still, I do not see a user configured on any of the devices.
How do I know which username to use if tacacs is down?
06-08-2007 07:38 AM
You have to configure local usernames on your device. For example:
username marcus password marcus123
06-08-2007 08:11 AM
Thanks J,
Why would they configure the device to use local authentication if tacacs was not available, and not configure the usernames and passwords?
06-08-2007 08:13 AM
Who are, "they?" If you mean previous administrators, perhaps they did not know what the "local" keyword meant.
06-08-2007 08:17 AM
Yes, you know...
That mysterious group of people that knows and does everything.
Really though, the guys (consultants) who built this network.
I guess I need to go to each device and configure a username and password.
Man, have I learned a lot from you guys in the last year.
I appreciate the reply
06-08-2007 09:46 AM
So j,
With this type of config, if tacacs is unavailable:
The idea is you get in locally with the username and password in the config, then use the enable or enable-secret configured?
06-08-2007 09:48 AM
Correct.
06-08-2007 10:42 AM
J,
If tacacs is available, can you still use the local access accounts or will the device force you to use tacacs if the server is up?
06-08-2007 10:44 AM
You will need to use the TACACS+ credentials if the AAA server is available.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide