backup line with local auth. for TACACS failures

ozlemduran · ‎02-10-2005

hi,

we are using ACS TACACS+ for our cisco devices telnet security, but we are also using DC database for authentication and if database goes down, authentication is stopping. at this time cisco device still searching for tacacs server and does not allow telnet.

we have been using the conf.below recently,but now it is not working...

!

aaa authentication login LOCAL local

!

line vty4

login authentication LOCAL

thanks

umedryk · ‎02-16-2005

Strange, but one workaround could be probably, you could remove the configuration for it to contact Tacacs+

ozlemduran · ‎02-16-2005

I think you didny understand my question,

when tacacs server working, LDAP is going down,

so I could not telnet to device.

Iam searching for a backup configuration...

Richard Burts · ‎02-17-2005

I do not understand your question. You say that you are using TACACS but the configuration that you show does not have any TACACS in it at all and just uses local authentication. Where is the TACACS and what is the problem.

I have configured aaa and TACACS on a variety of boxes and find that a configuration like this works well:

aaa authentication login default group tacacs+ line

This allows the router to use TACACS for login authentication and if TACACS is not available (or if the external database is not available) it will use the local line passwords. Or if you have user name and passwords configured on the router you could configure:

aaa authentication login default group tacacs+ local

In my experience if the TACACS server can not access the external database then it returns an unable to process response to the router and the router is able to use the backup method.

HTH

Rick

HTH

Rick