06-21-2011 09:13 AM - edited 03-10-2019 06:10 PM
After configuring an ACS and having it up and working on a large number and types of Cisco Switches and Routers. I am faced with this the way it was configured , it should have a fall back to local user and password if it can not reach the ACS mine just keeps looking for the ACS. Can i force a local log in? or is there an issues with my config which is posted below?:
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
!
hostname test_tv
!
enable password ******
!
username admin privilege 15 password 0 line ******
aaa new-model
aaa group server radius rad_eap
!
aaa group server tacacs+ tac_admin
server 10.1.1.120
!
aaa authentication login default group tacacs+ local
aaa authentication login eap_methods group rad_eap
aaa authentication login eap_methods1 group rad_eap1
aaa authentication enable default group tac_admin
aaa authorization exec default group tac_admin group rad_admin
aaa authorization exec tac_admin group tac_admin
aaa authorization commands 0 default group tac_admin
aaa authorization commands 1 default group tac_admin
aaa authorization commands 2 default group tac_admin
aaa authorization commands 3 default group tac_admin
aaa authorization commands 4 default group tac_admin
aaa authorization commands 5 default group tac_admin
aaa authorization commands 6 default group tac_admin
aaa authorization commands 7 default group tac_admin
aaa authorization commands 8 default group tac_admin
aaa authorization commands 9 default group tac_admin
aaa authorization commands 10 default group tac_admin
aaa authorization commands 11 default group tac_admin
aaa authorization commands 12 default group tac_admin
aaa authorization commands 13 default group tac_admin
aaa authorization commands 14 default group tac_admin
aaa authorization commands 15 default group tac_admin
aaa authorization commands 15 tac_admin group tacacs+ none
aaa authorization network tac_admin group tacacs+
aaa accounting exec default start-stop group tac_admin
aaa accounting commands 15 default start-stop group tac_admin
aaa accounting network default start-stop group tac_admin
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
ip subnet-zero
no ip domain-lookup
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
snmp-server engineID local 000000090200000021000000
snmp-server community
snmp-server community
snmp-server host 10.1.1.110 inform version 2c
snmp-server host 10.1.1.110 version 2c
tacacs-server host 10.1.1.120
tacacs-server directed-request
tacacs-server key **********
radius-server source-ports *************
!
control-plane
!
banner motd ^
!
line con 0
password ******
stopbits 1
line vty 0 4
password ******
authorization commands 0 tac_admin
authorization commands 1 tac_admin
authorization commands 2 tac_admin
authorization commands 3 tac_admin
authorization commands 4 tac_admin
authorization commands 5 tac_admin
authorization commands 6 tac_admin
authorization commands 7 tac_admin
authorization commands 8 tac_admin
authorization commands 9 tac_admin
authorization commands 10 tac_admin
authorization commands 11 tac_admin
authorization commands 12 tac_admin
authorization commands 13 tac_admin
authorization commands 14 tac_admin
authorization commands 15 tac_admin
line vty 5 15
password ******
authorization commands 0 tac_admin
authorization commands 1 tac_admin
authorization commands 2 tac_admin
authorization commands 3 tac_admin
authorization commands 4 tac_admin
authorization commands 5 tac_admin
authorization commands 6 tac_admin
authorization commands 7 tac_admin
authorization commands 8 tac_admin
authorization commands 9 tac_admin
authorization commands 10 tac_admin
authorization commands 11 tac_admin
authorization commands 12 tac_admin
authorization commands 13 tac_admin
authorization commands 14 tac_admin
authorization commands 15 tac_admin
!
end
06-21-2011 10:43 AM
Hello Kurt
The command on device shows that primary method is Tacacs and then, local.
aaa authentication login default group tacacs+ local
Is ACS server unreacable from device ? Does it fail on authentication ?
thanks
Devashree
06-22-2011 06:14 AM
The ACS sits on another network and "what if" that link is down. When i have removed the ability to contact the ACS i have no way to log in. I would figured the switch would detect it could not reach the ACS and try local login but that is not happening.
.
06-23-2011 01:00 AM
It should fail over if the ACS is really unreachable.
Can you turn on some debug tacacs and debug aaa ?
06-28-2011 05:54 AM
hi Kurt,
you have ....
aaa authentication login default group tacacs+ local
and then...
aaa authorization exec default group tac_admin group rad_admin
i am thinking this could be the issue, the authorization of exec shell should have a local option at the end in case your tacacs server fails.
06-29-2011 10:40 AM
Please post the below debugs
debug tacacs events / packets / errors
debug aaa
06-30-2011 10:05 AM
It can not reach the ACS ( in this case) so i couldnt log in to get that information
07-06-2011 10:19 AM
adding the local worked i can now get to the command prompt BUT when i type enable it says :
" % error in Authentication" and returns me to the > with nothing to enter.
07-12-2011 06:35 AM
Isn't that because of this line:
aaa authentication enable default group tac_admin
Shouldn't that also fallback to local?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: