Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20618
Views
30
Helpful
17
Replies

Enabling local console access when TACACS is enabled

aniket0422
Level 1
Level 1

‎06-01-2016 12:12 PM - edited ‎03-08-2019 06:02 AM

Hi All,
I am configuring new switch. i have done basis line vty configuration as below. 
#username cisco password cisco
#enable secret cisco
#service password-encryption
#line vty 0 4
#login local
#transport input all
#save
When i logged in next time switch asked me for username and password. I entered cisco cisco and i was able to logged into the switch.
Then i enabled TACACS and entered all the TACACS configuration as per customer requirement. I am able to log into the switch through telnet/ssh using TACACS username and password. But i lost my console access using local username and password i.e. cisco cisco.
I want my local username and password i have created i.e cisco cisco to work on telnet/ssh/console even whren TACACS is enable. How can i achieve this ? 
Atleast when my TACACS login not working i should be able to console log into the switch using local username and password. 

Labels:
0 Helpful
17 Replies 17

Richard Burts
Hall of Fame
Hall of Fame
In response to BNedved

‎07-11-2023 12:26 PM

Thanks for the additional information. If the tech user is able to login when the authentication server is not available and not able to login when the authentication server is available it suggests that the issue may be with the authentication server and not with your switch. I have several questions and suggestions:

- is the problem just with the tech user? Are other users successful to login to the switch when the authentication server is available?

- at a time when the authentication server is available have the tech user attempt to login and then check the logs from the authentication server and see if any logs are generated relating to this attempt.

- check in the authentication server and verify whether the tech user has an appropriate entry in the authentication server.

HTH

Rick
0 Helpful

BNedved
Level 1
Level 1
In response to Richard Burts

‎07-11-2023 12:42 PM

The Tech user doesn't have an entry on the authentication server. I wanted it to be an account separate from the server. None of the local users work unless the server is unavailable. 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to BNedved

‎07-11-2023 01:42 PM

This clarification is helpful. Normally when you implement tacacs you would put most of the user IDs into the authentication server (with perhaps one or two IDs configured locally to use if tacacs is not available). But you want some users to authenticate using tacacs while other users authenticate locally.

In one of your posts I see

line con 0
login authentication local-auth

In this case local-auth would be an alternative method for authenticating. Have you configured an authentication list local-auth? If so what is in it?

As a first step in finding a solution I suggest that you change your default authentication to be something like this

aaa authentication login default local group tacacs+ enable

Try that and let us know if the tech user is able to login. (they probably can not get into privilege mode but that would be another step and lets make sure that the first one works)

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents