Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
2
Helpful
4
Replies

Need help: TACACS vs Local Auth on cisco switches

Go to solution
XavierJackson
Level 1
Level 1

‎04-27-2024 02:40 PM

Hello

I just wanted to confirm if cisco switches default back to local authentication/accounts if TACACS is disabled/unreachable? 

So what happened is I accidentally created the wrong ACL and applied it to the VTY lines and it has blocked all ssh access. (Totally my mistake, it happens ill learn from this) I did create a local account on the switch prior with privilege15. 

The switch also uses TACACS. If i disable the TACACS config on ISE for that switch, will the switch fall back to using local authentication if accessed via console? I do know the line console 0 doesnt have login local applied and not sure if that would be an issue or not.

If anyone can clarify that would be great im very new to how TACACS/Network device authentication works. 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-28-2024 08:50 AM 

I just wanted to confirm if cisco switches default back to local authentication/accounts if TACACS is disabled/unreachable?

yes that correct as per your configuration.

So what happened is I accidentally created the wrong ACL and applied it to the VTY lines and it has blocked all ssh access.

sure but still the ACL may have some IP added from that you able to get in to the device. if not you can console still and change it.

The switch also uses TACACS. If i disable the TACACS config on ISE for that switch, will the switch fall back to using local

yes if the ISE you change the key, the switch fall back to local account, if you have created local account with priv 15.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎04-27-2024 02:59 PM

If you use aaa authc login <method name> tacacs local

And server is down the SW will fallback to local' 

For console we can not know without see config 

MHM

0 Helpful

Go to solution
XavierJackson
Level 1
Level 1
In response to MHM Cisco World

‎04-28-2024 07:52 AM - edited ‎04-28-2024 07:53 AM

Hi 

 

Thanks for that. Also the AAA/Console config is below:
AAA:
aaa authentication login default group ECUK_ISE local
aaa authentication enable default group ECUK_ISE enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ECUK_ISE local

 

Im guessing 'local' is the local authentication backup if TACACS fails

line con 0
stopbits 1
line vty 0 4
access-class SSH_ACCESS in
exec-timeout 5 0
logging synchronous
transport input ssh
line vty 5 15
access-class SSH_ACCESS in
exec-timeout 5 0
logging synchronous
transport input ssh

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-28-2024 08:50 AM 

I just wanted to confirm if cisco switches default back to local authentication/accounts if TACACS is disabled/unreachable?

yes that correct as per your configuration.

So what happened is I accidentally created the wrong ACL and applied it to the VTY lines and it has blocked all ssh access.

sure but still the ACL may have some IP added from that you able to get in to the device. if not you can console still and change it.

The switch also uses TACACS. If i disable the TACACS config on ISE for that switch, will the switch fall back to using local

yes if the ISE you change the key, the switch fall back to local account, if you have created local account with priv 15.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
XavierJackson
Level 1
Level 1
In response to balaji.bandi

‎04-28-2024 01:41 PM

Thanks alot! Appreciate it

0 Helpful
Customers Also Viewed These Support Documents