Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4146
Views
0
Helpful
6
Replies

local username and password if ACS server fails

Go to solution
ohareka70
Level 3
Level 3

‎04-13-2011 09:02 AM - edited ‎03-10-2019 05:59 PM

Hello,

I have every router and switch setup for login authentication via the ACS server.  I have used these 12 lines below and it is working fine.  Every engineer has their own account.

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common

tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key WHATEVER

----------------------------------------------

I would like to add to this a local username and password so that if the ACS server was offline the engineers would still have to login with a default username and password i.e

username MYUSERNAME privilege 15 secret mypassword


line vty 0 4
login local

Q.  How do i do this so ACS server has first preference and users only login with local username and password if the ACS server is down?

regards,

Kevin

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Javier Henderson
Level 4
Level 4

‎04-13-2011 09:46 AM

Right now you have the enable password as the fall back method:

aaa authentication login default group tacacs+ enable

Change "enable" to "local" and the local (on the router) database of usernames and passwords will be used.

The same works for enable authentication (the second "aaa authentication ..." line in the config you posted).

View solution in original post

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to ohareka70

‎04-20-2011 06:59 AM

Hi Kevin,

Please do the following:

line vty 0 4

no login local

no aaa authentication login default group tacacs+ enable
no aaa  authentication enable default group tacacs+ enable

aaa authentication login default group tacacs+ local
aaa  authentication enable default group tacacs+ local

In this case the authentication will head to your tacacs server first and then to local only if the TACACS server is down.

Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

View solution in original post

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to ohareka70

‎04-20-2011 09:27 AM

Hi Kevin,

My apologizes.. the command you have is correct . The local option is not present for enable authentication.

hope this helps.

Regards,

Anisha

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Javier Henderson
Level 4
Level 4

‎04-13-2011 09:46 AM

Right now you have the enable password as the fall back method:

aaa authentication login default group tacacs+ enable

Change "enable" to "local" and the local (on the router) database of usernames and passwords will be used.

The same works for enable authentication (the second "aaa authentication ..." line in the config you posted).

0 Helpful

Go to solution
ohareka70
Level 3
Level 3
In response to Javier Henderson

‎04-19-2011 03:48 AM

Javier,

I did try this and what this does is let me login with the local account but bypasses the tacacs account.  I want it to use the Tacacs account first and only use the local account when the Tacacs account fails.  Maybe this is not possible.

If i put it back to the way it was and stop the ACS server then it falls back to the enable password on the router.

thanks

Kevin

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to ohareka70

‎04-20-2011 06:59 AM

Hi Kevin,

Please do the following:

line vty 0 4

no login local

no aaa authentication login default group tacacs+ enable
no aaa  authentication enable default group tacacs+ enable

aaa authentication login default group tacacs+ local
aaa  authentication enable default group tacacs+ local

In this case the authentication will head to your tacacs server first and then to local only if the TACACS server is down.

Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

Go to solution
ohareka70
Level 3
Level 3
In response to andamani

‎04-20-2011 08:40 AM

Anisha,

The first line was ok but it wont accept the second line: aaa  authentication enable default group tacacs+ local

so i have had to leave it as aaa  authentication enable default group tacacs+ enable until i work out why its wont accept the command.

I tested the config on one switch by turning off Tacacs for that one switch.  It prompted me for the local username and password and i logged in ok.  But i had to login with the enable password on the router until i work why the line above in bold wont go on the switch.

The switch involved is a C2960 Software (C2960-LANBASE-M), Version 12.2(35)SE5.

Any ideas why it wont accept aaa  authentication enable default group tacacs+ local

Did that line work ok on your switch / router config?

regards,

Kevin

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to ohareka70

‎04-20-2011 09:27 AM

Hi Kevin,

My apologizes.. the command you have is correct . The local option is not present for enable authentication.

hope this helps.

Regards,

Anisha

0 Helpful

Go to solution
ohareka70
Level 3
Level 3
In response to andamani

‎04-21-2011 01:40 AM

Happy enough now that i have a config that will do the job.

thanks

Kevin

0 Helpful
Customers Also Viewed These Support Documents