05-09-2007 07:57 AM - edited 03-05-2019 03:58 PM
Thanks to all, I appreciate your help!
I have a 4006 CatOS switch running 6.3, I can telnet and authenticate via TACACS servers, how do I make sure I'm able to serial console to the switch in the event IP connectivity to the TACACS servers is lost or the TACACS servers are down? This the AAA config:
#authentication
set authentication login tacacs enable telnet primary
set authentication login tacacs enable http primary
set authentication enable tacacs enable telnet primary
set authentication enable tacacs enable http primary
set authentication login attempt 5 console
!
#authorization
set authorization exec enable tacacs+ deny console
set authorization exec enable tacacs+ deny telnet
set authorization enable enable tacacs+ deny console
set authorization enable enable tacacs+ deny telnet
set authorization commands enable all tacacs+ deny console
set authorization commands enable all tacacs+ deny telnet
end
05-09-2007 08:47 AM
Hi,
I think you are looking for this configuration:
Make sure there is a back door into the switch if the server is down by issuing the set authentication login local enable command.
Enable TACACS+ authentication by issuing the set authentication login tacacs enable command.
Define the server by issuing the set tacacs server #.#.#.# command.
Define the server key (optional with TACACS+, as it causes switch-to-server data to be encrypted. If used, it must agree with the server.) by issuing the set tacacs key your_key command.
HTH, rate if it does.
Regards,
Bjornarsb
05-09-2007 09:44 AM
You have to add the following command for login fall back on the switch
set authentication login local enable all
This will enable the local fallback for HTTP,Telnet and console.
You also have to enable the local fallback for enable mode as well.If you dont do it then you will not be able to go into the enable mode.Do the following:
set authentication enable local enable all
Please make sure that you also enable local authorization fall back also on the switch.
Please use the link below for more info:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/rel6_3/config/authent.htm#1020224
HTH,Please rate if it does.
-amit singh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide