Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1563
Views
0
Helpful
2
Replies

How to fallback to console login when TACACS server down?

bravob
Level 1
Level 1

‎05-09-2007 07:57 AM - edited ‎03-05-2019 03:58 PM

Thanks to all, I appreciate your help!

I have a 4006 CatOS switch running 6.3, I can telnet and authenticate via TACACS servers, how do I make sure I'm able to serial console to the switch in the event IP connectivity to the TACACS servers is lost or the TACACS servers are down? This the AAA config:

#authentication

set authentication login tacacs enable telnet primary

set authentication login tacacs enable http primary

set authentication enable tacacs enable telnet primary

set authentication enable tacacs enable http primary

set authentication login attempt 5 console

!

#authorization

set authorization exec enable tacacs+ deny console

set authorization exec enable tacacs+ deny telnet

set authorization enable enable tacacs+ deny console

set authorization enable enable tacacs+ deny telnet

set authorization commands enable all tacacs+ deny console

set authorization commands enable all tacacs+ deny telnet

end

Labels:
0 Helpful
2 Replies 2

bjornarsb
Level 4
Level 4

‎05-09-2007 08:47 AM

Hi,

I think you are looking for this configuration:

Make sure there is a back door into the switch if the server is down by issuing the set authentication login local enable command.

Enable TACACS+ authentication by issuing the set authentication login tacacs enable command.

Define the server by issuing the set tacacs server #.#.#.# command.

Define the server key (optional with TACACS+, as it causes switch-to-server data to be encrypted. If used, it must agree with the server.) by issuing the set tacacs key your_key command.

HTH, rate if it does.

Regards,

Bjornarsb

0 Helpful

Amit Singh
Cisco Employee
Cisco Employee

‎05-09-2007 09:44 AM

You have to add the following command for login fall back on the switch

set authentication login local enable all

This will enable the local fallback for HTTP,Telnet and console.

You also have to enable the local fallback for enable mode as well.If you dont do it then you will not be able to go into the enable mode.Do the following:

set authentication enable local enable all

Please make sure that you also enable local authorization fall back also on the switch.

Please use the link below for more info:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/rel6_3/config/authent.htm#1020224

HTH,Please rate if it does.

-amit singh

0 Helpful
Customers Also Viewed These Support Documents