Solved: Is it possible to use tacacs and local authentication at the same time on nexus 3500 platform?

BINH_C_LE83 · ‎06-10-2016

I need to configure some nexus 3500 switches to authenticate one or more users using TACACS and another user using Local authentication simultaneously. For example, user A, B and C will login using TACACS while user D will login using Local authentication. Can this be done? Thanks so much.

Francesco Molino · ‎06-16-2016

Hi

i've answered the same question for radius.

below the link of the post and my answer. (config is based on radius but it should be adapted with tacacs without difficulty)

https://supportforums.cisco.com/discussion/13045661/radius-authentication-some-group-users-and-local-authentication-another-group

To achieve what you're asking, there are many ways.

I'll give you 3 of them that don't need to play with Radius authentication results:

1. You can configure your aaa command to look on local database and then to radius like:

aaa authentication login GRP-LOCAL-RADIUS local group radius

2. you can configure multiple aaa authentication (1 looking only on local database and 1 on radius) then assign them to different lines (not the best)

Local:

aaa authentication login LOCAL-AUTH local
!
line vty 0 4
login authentication LOCAL-AUTH

Radius:

aaa authentication login RADIUS-AUTH group radius
!
line vty 5 15
login authentication RADIUS-AUTH

If you want to play with Radius.

Configure a standard aaa looking into Radius and then in local:

aaa authentication login RADIUS group RADIUS-SRV local

On the authentication rule, you need to send a DROP action when User not found

Hope this helps.

PS: If this solved your issue, please don't forget to rate and mark as correct answer

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-16-2016

Hi

i've answered the same question for radius.

below the link of the post and my answer. (config is based on radius but it should be adapted with tacacs without difficulty)

https://supportforums.cisco.com/discussion/13045661/radius-authentication-some-group-users-and-local-authentication-another-group

To achieve what you're asking, there are many ways.

I'll give you 3 of them that don't need to play with Radius authentication results:

1. You can configure your aaa command to look on local database and then to radius like:

aaa authentication login GRP-LOCAL-RADIUS local group radius

2. you can configure multiple aaa authentication (1 looking only on local database and 1 on radius) then assign them to different lines (not the best)

Local:

aaa authentication login LOCAL-AUTH local
!
line vty 0 4
login authentication LOCAL-AUTH

Radius:

aaa authentication login RADIUS-AUTH group radius
!
line vty 5 15
login authentication RADIUS-AUTH

If you want to play with Radius.

Configure a standard aaa looking into Radius and then in local:

aaa authentication login RADIUS group RADIUS-SRV local

On the authentication rule, you need to send a DROP action when User not found

Hope this helps.

PS: If this solved your issue, please don't forget to rate and mark as correct answer

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

BINH_C_LE83 · ‎06-17-2016

Thanks, I configured it to look into the TACACS first and then the local and it worked. Appreciate it.

Francesco Molino · ‎06-17-2016

You're very welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question