Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1786
Views
5
Helpful
2
Replies

Error in Authentication in enable when radius is down.

Go to solution
RodrigoSanchez4675
Level 1
Level 1

‎02-12-2020 03:56 AM

Hello,

I'm having a problem going to enable mode when my tacacs+ server is down.

 

I have cisco ISE in place working as my tacacs server, which is working correctly, the problem I'm having is when the switch loses connectivity to ISE and I need to login with the console cable, I can login using a local account on the switch but when I try to change the prompt to enable I get the "Error in Authentication".

 

Extra Info:

Radius is being used in ISE for basic mab port authentication

 

____________________________________

username xxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
aaa new-model
!
!
aaa group server radius RAD_CTSCISE
server name RAD_CTSCISE
!
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group RAD_CTSCISE
aaa authorization exec default group tacacs+ local
aaa authorization network default group RAD_CTSCISE
aaa authorization auth-proxy default group RAD_CTSCISE
aaa accounting update newinfo
aaa accounting dot1x default start-stop group RAD_CTSCISE
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

!

!

line con 0
logging synchronous
login authentication console

_____________________________________________________

 

Thank You,

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎02-12-2020 04:44 AM

 

 - It's always advisable to have local accounts and or privileged mode , not  being dependent on external authentication sources , that being said could you flip aaa authentication login default group tacacs+ local into aaa authentication login default group local tacacs+

 M.

 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

Go to solution
RodrigoSanchez4675
Level 1
Level 1
In response to marce1000

‎02-12-2020 05:24 AM

Thanks.

 

I changed it to "aaa authentication login default local group tacacs+"

View solution in original post

0 Helpful
2 Replies 2

Go to solution
marce1000
VIP
VIP

‎02-12-2020 04:44 AM

 

 - It's always advisable to have local accounts and or privileged mode , not  being dependent on external authentication sources , that being said could you flip aaa authentication login default group tacacs+ local into aaa authentication login default group local tacacs+

 M.

 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
RodrigoSanchez4675
Level 1
Level 1
In response to marce1000

‎02-12-2020 05:24 AM

Thanks.

 

I changed it to "aaa authentication login default local group tacacs+"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card