Hi  Richard,

Please find attached snaps and do let me know if it's sufficient to understand.

My question is  when i logged in to a router using aaa server it gets authenticated but when interface connecting to server was down the authentication method fall backs to local database even though local keyword was not there in default list please help me explain this scenario, I thought it might locked out or use next method list,

In capture 1-3 image attached you will see what i am trying to say.

aaa credentials username bob secret Cisco!23

local credentials username admin privilege 15 secret Cisco!23

Could you post the config rather than just snaps of parts of it?

Hi Richard,

Thanks for your response here is whole run config please let me know if it is sufficient to understand my query.

Thanks 

Asif

Asif

Thank you for the configuration. In looking at it I believe that the reason for the behavior you are experiencing is the command

aaa authentication login method enable

I believe that this would allow access if you enter the enable password. I would suggest that you remove this line from the config and test again. Let us know what the results are.

Hi Richard,

Thanks for your prompt response, but the issue is it is not getting authenticated using method1 instead it fall backs to local database even when local keyword is not present on default list as per suggestion I have removed method list and kept only default list to verify still the results were same, attached run-config with results authenticating when aaa was reachable and when it was not, also want to ask if it is falling back to local authentication when aaa is not reachable then i should get access to privilege exec mode because local admin is having privilege 15 but it asked me to enter enable secret can you please also explain this, looking forward for your detailed explanation.

Thanks 

Asif

Asif

Thanks for the update. I had hoped that the extra aaa authentication might be the issue. I see that you have removed it and the unexpected behavior continues. So obviously that was not the issue. I am not sure what the intent was with this command

aaa authentication login method enable

It looks a bit like maybe you were trying to configure authentication to get into enable mode. But that is not what it did. It creates a second method of authenticating when someone attempts to login to the device.

I would suggest that the next step in investigating this would be to run debug for aaa authentication, make the attempt to login in, and post any debug output.

It occurs to me to ask whether this is being on a real router hardware or whether this is on some emulator.

You ask "also want to ask if it is falling back to local authentication when aaa is not reachable then i should get access to privilege exec mode because local admin is having privilege 15" It is logical to assume that if a user is configured with level 15 access that they would automatically get that level of access when they login. But that is not how aaa works. If you want the locally authenticated user to automatically get level 15 access then you  need a aaa authorization command for that.

Hi Richard,

Thank you for your detailed explanation, as suggested i have tried with debugging on router and found that it was authenticating with default list with aaa sever was reachable and when it was not (interface shutdown) it says to authenticate using "permanent local" so maybe this might be solution to my question also i found article from cisco where it says as soon as aaa-new model command is enable local authentication is applied to all interface except line con 0, here is the reference for that article and attached snap of debugging do let me know your opinion on these.

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html

Thanks

Asif

Hi Richard,

Sorry for late response, i  am trying this lab on packet tracer since I do not have physical hardware with me, please suggest any other simulation tool where we can try lab and get desire results.

Thanks 

Asif

Asif

Thanks for confirming that this is being done on Packet Tracer. PT is widely used and is pretty good about main aspects of switches and routers, about static routing and dynamic routing protocols, etc. But there are quite a few things where its behavior is different from real hardware - and you found one. Many people use GNS as an emulator for the network. I would say that probably the best emulator is Cisco Modeling Labs, but there is a cost factor to consider.

Hi Richard,

Thanks for all your help on this i was stuck on this for a long time and was not getting any help from other sources glad i join the community since it is packet tracer glitch i will take your response as an answer to my question one's again thanks you so much for your prompt responses and i will be back with more questions..

Thanks 

Asif

Asif

I am glad that my explanations have been helpful.  Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I look forward to more questions from you (and to the time when you are able to provide answers to other people's questions).