As long as tacacs+ is reachable, you can't use the local username and password.

So, say someone turn off the tacacs+ server. At that time since tacacs+ is not reachable. you log in using the local username and password.

HTH 

Hello Richard,

I found a complex behavior of the local method:

if set like 'local group radius' even if the local database is populated, the authentication will use radius for unknown users, if the local database is not populated, it uses the next method: radius

if set like 'local enable' and the local database is not populated, the fallback to enable method is not used, and it's not the behavior i expect, because if i use aaa on my console line and if i remove all users from the local database, i will have to do a password recovery even if i did set the enable password and the enable method.

Then, on my switch, there is no point to set the enable method after the local one. (Or it's a bug on my IOS version)

Regards, Guillaume

The original poster asks this question

I have a local username and password, what is the point of adding a password under line vty or even line console as well?

My answer is that it depends on what is your opinion about insurance? My opinion is that insurance is to protect us when unexpected things happen. If you have radius and have the local user as backup that would protect you if radius is not working. If you are absolutely confident that the local user ID will always be available and will work then you need no further insurance. If you think that somehow there might be a circumstance where the local user ID is not there or does not work then it becomes desirable to have a further level of insurance.

Guillaume

You observe that "if set like 'local enable' and the local database is not populated, the fallback to enable method is not used ". I am surprised at that. I would expect that enable should work. I would hope that this might be an anomaly in a particular version of software rather than a general behavior.

HTH

Rick

I totally agree,

just to show a demo (Cisco C3560 - IOS15.0(2)SE9 reached EOL long time ago...) :

'local enable' and local database not populated

ACCESS1#show running-config | include ( TEST )
aaa authentication login TEST local enable
aaa authorization exec TEST if-authenticated 
ACCESS1#show running-config | section vty     
line vty 0 4
 exec-timeout 1440 0
 authorization exec TEST
 login authentication TEST
 transport input telnet
line vty 5 15
 exec-timeout 1440 0
 authorization exec TEST
 login authentication TEST
 transport input telnet
ACCESS1#

ACCESS1#show running-config | include username
ACCESS1#

ACCESS1#show running-config | include enable password
enable password enpass
ACCESS1#

DISTRIB1#telnet 10.2.0.3
Trying 10.2.0.3 ... Open

User Access Verification

Username: admin
Password: 

% Authentication failed

Username: admin
Password: 

% Authentication failed

Username: admin
Password: 

% Authentication failed

[Connection to 10.2.0.3 closed by foreign host]
DISTRIB1#telnet 10.2.0.3
Trying 10.2.0.3 ... Open


User Access Verification

Username: 
Username: 
Username: 

[Connection to 10.2.0.3 closed by foreign host]
DISTRIB1#

But if i reverse the method:

'enable local' + enable password not set + local database populated, the fallback method is used, and that's what i expected

ACCESS1(config)#aaa authentication login TEST enable local
ACCESS1(config)#user
ACCESS1(config)#username admin password admin
ACCESS1(config)#no enable password

DISTRIB1#telnet 10.2.0.3
Trying 10.2.0.3 ... Open

User Access Verification

Username: admin
Password: 

ACCESS1>

It would be great to know if this is still the same behavior on recent devices.

Regards, Guillaume

That is the behavior i expected but it fails on my switch,

The password your are asked for depends on the method list:

• 'line' = password configured under the line configuration with 'password ...' command
• 'enable' = password configured with 'enable password ...' or 'enable secret ...' command

Regards, Guillaume