I have a requirement. The devices are configured for centralized TACACS server for AAA. For all users, authentication, authorization and accounting is done by Cisco ISE. But for one particular user, we would like to make use of local username and password created in devices to authentication and authorize (require priv 15 access) and not be sent to ISE TACACS. What is the procedure of doing it?
I do not believe that there is a really good solution that achieves your requirement that for a single user authentication would be done using the local configured user ID and all others would authenticate via TACACS. There are a couple of possibilities that come close but each has some disadvantage in its implementation.
- depending on how many user IDs are configured you might just configure aaa authentication to use local as the first alternative and TACACS as the backup. In doing this any user who attempts to login and is not in the local config will then be sent to TACACS for authentication. But any user who is in the local config will authenticate with the local ID which is not following your requirement that only a single user will authenticate locally.
- if you could assure that this user would always connect on a particular vty you could configure that vty with a different aaa authentication which specifies local authentication while other vty would specify TACACS. The weakness here is how to be sure that the particular user gets that vty and how to prevent other users from getting that vty.
- I wonder if there is something that you could do with an EEM applet that could check user login requests and do something for that particular user to authenticate locally. But that would be complex to accomplish and I am not even sure that it would work.
Yes it does. I do not believe that there is any solution that provides a clean effective way to achieve your requirement. I believe that the best you can do is something that comes close but will have some disadvantage.