I am implementing and ACS solution for authentication and authorization of my Cisco devices. So far everything Switch-ACS is working. I also want users to have to authenticate themselves with AD when they connect over SSH. That is currently working. As a failsafe incase the ACS fails, I would like users to be able to use local credentials via TELNET. This I cannot get working.
I configured VTY ports 0-4 for SSH only and attached the group for TACACS.
I configured VTY ports 5-15 for TELNET only and attached the group for LOCAL authentication.
When I connect using SSH, all is well. When I try using TELNET it does not allow me to log in (its trying to authenticate with AD).
Here is the config I have:
aaa authentication login CONSOLE local
aaa authentication login SSH group tacacs+
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+
aaa authorization network default group radius
aaa accounting system default start-stop group tacacs+