Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10267
Views
15
Helpful
8
Replies

Is it possible to use tacacs and local authentication at the same time on nexus 9000 platform?

Samuele Leardini
Level 1
Level 1

‎03-16-2019 02:19 AM

Hi,

 

I need to configure a Nexus 9000 switch ( N9K-C9348GC-FXP - release 7.0(3)I7(3) ) to authenticate one or more users using TACACS and another user using Local authentication simultaneously.

I tried to configure "aaa authentication login default local group GROUP_NAME" but it was not possible.

How can I do it?

 

Thanks you,

Samuele

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Georg Pauwen
VIP
VIP

‎03-16-2019 04:10 AM

Hello,

 

what do you wanto to achieve, TACACS+ first and then local ? Or  TACACS+ for some users, and local for others, at the same time ?

0 Helpful

Samuele Leardini
Level 1
Level 1
In response to Georg Pauwen

‎03-18-2019 02:48 AM

Hello,

I want to achieve TACACS+ for some users, and local for others, at the same time.

Thanks,
Samuele
0 Helpful

paul driver
VIP
VIP

‎03-16-2019 12:18 PM - edited ‎03-18-2019 04:48 PM

Hello Samuele 

Well it seem to suggest it supports AAA and possibly rotary so I cannot see why not - have a look here 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Samuele Leardini
Level 1
Level 1
In response to paul driver

‎03-18-2019 03:21 AM

Hello,

The post in the link speaks about a 3850 switch with IOS-XE, the commands indicated don't work in Nexus 9000 with NX-OS.

Thanks,
Samuele
0 Helpful

Georg Pauwen
VIP
VIP
In response to Samuele Leardini

‎03-18-2019 04:31 AM

Hello,

 

I think in NX-OS, the default fallback is local. So if you have configured:

 

aaa authentication login default group TACACS+

 

in case TACACS is not available or cannot authenticate, the default fallback is local. You can explicitly specify the fallback:

 

aaa authentication login default fallback error local

 

In your case, if you don't want certain users to use TACACS, just don't configure them on your TACACS server, but do configure them locally.

 

 

Samuele Leardini
Level 1
Level 1
In response to Georg Pauwen

‎03-18-2019 06:20 AM

I've already configure certain users locally on the switch, but the authentication for them fails, because the switch try to authenticate only against TACACS servers (and not against local database).

Thanks,
Samuele
0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to Samuele Leardini

‎03-18-2019 07:11 AM

Not sure if you can do this since the Nexus does not support the rotary command:

 

This configuration example builds on the previous TACACS+ authentication example, including fallback authentication to the password that is configured locally with the enable secret command:

!
username admin password <password> role network-admin
!
aaa authentication login default group tacacs+
aaa authentication login default fallback error local

tjbuschur1
Level 1
Level 1

‎02-25-2020 04:58 AM

Check your Line vty 0 15 config.  make sure 

 

login authentication default  is set correctly.  if you have it set to a tacacs group it will still block you. 

 

Also, you will need to set  aaa authorization 

 

aaa authorization exec default local group tacacs+

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card