Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1527
Views
0
Helpful
10
Replies

AAA Authentication Question

Go to solution
ALIAOF_
Level 6
Level 6

‎10-27-2010 09:07 AM - edited ‎03-10-2019 05:31 PM

Here is the config I have on a switch:

aaa authentication login default group tacacs+ local

aaa authentication login vtylogin group tacacs+ local

aaa authentication login conlogin group tacacs+ enable none

aaa authentication enable default tacacs+ enable

Now here are my issues:

1- When I login from console my login from Tacacs works, but when I type "enable" and try to use my Active Directory password it does not work.  Then I try the enable password, it does not work.  However if I change the 4th Line to "aaa authentication enable default enable", I can proceed using the enable password.

2- My second issue is when I SSH into the switch, I only want it to use the tacacs server and only use local database when the tacacs is not available.  However even when tacacs is available I am still able to log into it using the local user account.  I am assuming that is by design?  Is there a way to stop that if it is not by design?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yudong Wu
Level 7
Level 7
In response to ALIAOF_

‎11-01-2010 12:10 PM

When you use the local user account to login to device, can you check if you can see the log in "passed authentication attemp" on ACS box? If yes, could you please check your ACS local user DB to see it the same account was created by a mistaken?

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Yudong Wu
Level 7
Level 7

‎10-28-2010 08:17 AM

1. in "User setup", check "Advanced TACACS+ Settings", there should be an option for where to check "enable" password.

2. System will use local database only if the configured TACACS+ server is not responding to authentication request. Run some debug to see if it is the case.

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to Yudong Wu

‎10-28-2010 08:32 AM

Thank you for the reply, I will check on the first setting.  However for the seconnd part, system is using the local database but it is using it even if tacacs is available.  I do not want the system to be able to use the local database if tacacs is availble.  So basically I can login using the Active Directory account as well as the local database.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to ALIAOF_

‎10-28-2010 12:48 PM

It will only use local database if tacacs+ server is unavailable.

do a debug aaa authentication to be sure it isn't using tacacs+.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to cadet alain

‎11-01-2010 05:56 AM

I know that but I do not want it to use the local database if tacacs is available.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to ALIAOF_

‎11-01-2010 11:07 AM

But it won't use you local database unless your tacacs+ server is unavailable so I really don't see the problem.

If the router uses your local database to authenticate then there is a communication problem with your tacacs+ server so he is using the next method listed in your command which is local database. As I said before do a debug aaa authentication and you will see the router is attempting to communicate with the tacacs+ server and only if it times out then is he going to use an alternative method if it is listed in method list.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to cadet alain

‎11-01-2010 11:37 AM

Ok let me try to explain this agagin:

1- There is no communication problem as I can login using tacacs without any problems.  If I remove the "local" keyword from the line and only leave tacacs+ it works and even if I leave "local" after tacacs+ it still works.

2- However at the same time I can also use the local account to login.

3- I have looked at the debug and tacacs authentication works fine.

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to ALIAOF_

‎11-01-2010 12:10 PM

When you use the local user account to login to device, can you check if you can see the log in "passed authentication attemp" on ACS box? If yes, could you please check your ACS local user DB to see it the same account was created by a mistaken?

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to Yudong Wu

‎11-01-2010 12:31 PM

Thank you, that was the issue I still don't have access to the ACS yet since I'm new so I asked one of my co workers to check and yup local account was defined in the ACS, after disabling it, it works now.

0 Helpful

Go to solution
size57
Level 1
Level 1
In response to ALIAOF_

‎01-03-2011 10:54 PM

I facing same issue, i have dont have same user configured in TACACS as local user but still i am able to login through tacacs by user1 as well locally at te same time by user2.

what could be the issue. my ACS version is 4.2.

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to size57

‎01-04-2011 06:09 AM

Post your AAA and VTY settings if you can.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents