ACS Failover ??

Kurt Warner · ‎06-21-2011

After configuring an ACS and having it up and working on a large number and types of Cisco Switches and Routers. I am faced with this the way it was configured , it should have a fall back to local user and password if it can not reach the ACS mine just keeps looking for the ACS. Can i force a local log in? or is there an issues with my config which is posted below?:

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

!

hostname test_tv

!

enable password ******

!

username admin privilege 15 password 0 line ******

aaa new-model

aaa group server radius rad_eap

!

aaa group server tacacs+ tac_admin

server 10.1.1.120

!

aaa authentication login default group tacacs+ local

aaa authentication login eap_methods group rad_eap

aaa authentication login eap_methods1 group rad_eap1

aaa authentication enable default group tac_admin

aaa authorization exec default group tac_admin group rad_admin

aaa authorization exec tac_admin group tac_admin

aaa authorization commands 0 default group tac_admin

aaa authorization commands 1 default group tac_admin

aaa authorization commands 2 default group tac_admin

aaa authorization commands 3 default group tac_admin

aaa authorization commands 4 default group tac_admin

aaa authorization commands 5 default group tac_admin

aaa authorization commands 6 default group tac_admin

aaa authorization commands 7 default group tac_admin

aaa authorization commands 8 default group tac_admin

aaa authorization commands 9 default group tac_admin

aaa authorization commands 10 default group tac_admin

aaa authorization commands 11 default group tac_admin

aaa authorization commands 12 default group tac_admin

aaa authorization commands 13 default group tac_admin

aaa authorization commands 14 default group tac_admin

aaa authorization commands 15 default group tac_admin

aaa authorization commands 15 tac_admin group tacacs+ none

aaa authorization network tac_admin group tacacs+

aaa accounting exec default start-stop group tac_admin

aaa accounting commands 15 default start-stop group tac_admin

aaa accounting network default start-stop group tac_admin

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

ip subnet-zero

no ip domain-lookup

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

snmp-server engineID local 000000090200000021000000

snmp-server community

snmp-server host 10.1.1.110 inform version 2c

snmp-server host 10.1.1.110 version 2c

tacacs-server host 10.1.1.120

tacacs-server directed-request

tacacs-server key **********

radius-server source-ports *************

!

control-plane

!

banner motd ^

!

line con 0

password ******

stopbits 1

line vty 0 4

password ******

authorization commands 0 tac_admin

authorization commands 1 tac_admin

authorization commands 2 tac_admin

authorization commands 3 tac_admin

authorization commands 4 tac_admin

authorization commands 5 tac_admin

authorization commands 6 tac_admin

authorization commands 7 tac_admin

authorization commands 8 tac_admin

authorization commands 9 tac_admin

authorization commands 10 tac_admin

authorization commands 11 tac_admin

authorization commands 12 tac_admin

authorization commands 13 tac_admin

authorization commands 14 tac_admin

authorization commands 15 tac_admin

line vty 5 15

password ******

authorization commands 0 tac_admin

authorization commands 1 tac_admin

authorization commands 2 tac_admin

authorization commands 3 tac_admin

authorization commands 4 tac_admin

authorization commands 5 tac_admin

authorization commands 6 tac_admin

authorization commands 7 tac_admin

authorization commands 8 tac_admin

authorization commands 9 tac_admin

authorization commands 10 tac_admin

authorization commands 11 tac_admin

authorization commands 12 tac_admin

authorization commands 13 tac_admin

authorization commands 14 tac_admin

authorization commands 15 tac_admin

!

end

Devashree Chakrabarti · ‎06-21-2011

Hello Kurt

The command on device shows that primary method is Tacacs and then, local.

aaa authentication login default group tacacs+ local

Is ACS server unreacable from device ? Does it fail on authentication ?

thanks

Devashree

Kurt Warner · ‎06-22-2011

The ACS sits on another network and "what if" that link is down. When i have removed the ability to contact the ACS i have no way to log in. I would figured the switch would detect it could not reach the ACS and try local login but that is not happening.

.

Nicolas Darchis · ‎06-23-2011

It should fail over if the ACS is really unreachable.

Can you turn on some debug tacacs and debug aaa ?

Julio Garcia · ‎06-28-2011

hi Kurt,

you have ....

aaa authentication login default group tacacs+ local

and then...

aaa authorization exec default group tac_admin group rad_admin

i am thinking this could be the issue, the authorization of exec shell should have a local option at the end in case your tacacs server fails.

Angus Bishop · ‎06-29-2011

Please post the below debugs

debug tacacs events / packets / errors

debug aaa

Kurt Warner · ‎06-30-2011

It can not reach the ACS ( in this case) so i couldnt log in to get that information

Kurt Warner · ‎07-06-2011

adding the local worked i can now get to the command prompt BUT when i type enable it says :

" % error in Authentication" and returns me to the > with nothing to enter.

marcelnjkoks · ‎07-12-2011

Isn't that because of this line:

aaa authentication enable default group tac_admin

Shouldn't that also fallback to local?