cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1914
Views
0
Helpful
2
Replies
Beginner

Configuring AAA fallback to local on Nexus 9k

To Whom it May Concern,

I've configured the following:

!

tacacs-server key abcdefg
tacacs-server host x.x.x.x timeout 5
tacacs-server host y.y.y.y timeout 5
aaa group server tacacs+ tacacs
server x.x.x.x 
server y.y.y.y
use-vrf management

source-interface mgmt0

!

aaa authentication login default group tacacs 
aaa authorization commands default group tacacs local
aaa accounting default group tacacs

!

username admin password 5 $5$FGFIEN$6.3JWzAkkhZvxNrbd6pB6P6UqFULglpyhgJgwq9WQbA role network-admin
!

What I'm looking at is to ensure that fallback works when TACACS+ is enabled. However, I shouldn't be able to use the "admin" account even when tacacs is working.  What am I doing wrong?  It seems that "admin" is allowed still with TACACS working. 


Cheers,

Rash

2 REPLIES 2
Highlighted
Beginner

Hi,

Hi,

aaa works order of method types. 

if no response at one method pass to another method and vice versa.

if fail at one method dont pass another method and reject.

you defined for authentication  one method as group tacacs. and if tacacs authentication is failed you take a message authentication fail. 

You should add to configuration 

aaa authentication login default group tacacs local

or you should define an user in tacacs user that name is admin.

Best regards.

Beginner

There is default support for

There is default support for "local".  You do not have to specifically identify it.  This provided I agree with you to have the "admin" name defined in TACACS.  Unfortunately, I do not have access to that server.