04-27-2024 02:40 PM
Hello
I just wanted to confirm if cisco switches default back to local authentication/accounts if TACACS is disabled/unreachable?
So what happened is I accidentally created the wrong ACL and applied it to the VTY lines and it has blocked all ssh access. (Totally my mistake, it happens ill learn from this) I did create a local account on the switch prior with privilege15.
The switch also uses TACACS. If i disable the TACACS config on ISE for that switch, will the switch fall back to using local authentication if accessed via console? I do know the line console 0 doesnt have login local applied and not sure if that would be an issue or not.
If anyone can clarify that would be great im very new to how TACACS/Network device authentication works.
Solved! Go to Solution.
04-28-2024 08:50 AM
I just wanted to confirm if cisco switches default back to local authentication/accounts if TACACS is disabled/unreachable?
yes that correct as per your configuration.
So what happened is I accidentally created the wrong ACL and applied it to the VTY lines and it has blocked all ssh access.
sure but still the ACL may have some IP added from that you able to get in to the device. if not you can console still and change it.
The switch also uses TACACS. If i disable the TACACS config on ISE for that switch, will the switch fall back to using local
yes if the ISE you change the key, the switch fall back to local account, if you have created local account with priv 15.
04-27-2024 02:59 PM
If you use aaa authc login <method name> tacacs local
And server is down the SW will fallback to local'
For console we can not know without see config
MHM
04-28-2024 07:52 AM - edited 04-28-2024 07:53 AM
Hi
Thanks for that. Also the AAA/Console config is below:
AAA:
aaa authentication login default group ECUK_ISE local
aaa authentication enable default group ECUK_ISE enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ECUK_ISE local
Im guessing 'local' is the local authentication backup if TACACS fails
line con 0
stopbits 1
line vty 0 4
access-class SSH_ACCESS in
exec-timeout 5 0
logging synchronous
transport input ssh
line vty 5 15
access-class SSH_ACCESS in
exec-timeout 5 0
logging synchronous
transport input ssh
04-28-2024 08:50 AM
I just wanted to confirm if cisco switches default back to local authentication/accounts if TACACS is disabled/unreachable?
yes that correct as per your configuration.
So what happened is I accidentally created the wrong ACL and applied it to the VTY lines and it has blocked all ssh access.
sure but still the ACL may have some IP added from that you able to get in to the device. if not you can console still and change it.
The switch also uses TACACS. If i disable the TACACS config on ISE for that switch, will the switch fall back to using local
yes if the ISE you change the key, the switch fall back to local account, if you have created local account with priv 15.
04-28-2024 01:41 PM
Thanks alot! Appreciate it
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide