cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1988
Views
5
Helpful
4
Replies
Contributor

Is login local command under vty and console needed if AAA?

If I have the following AAA configs, do I still need to enter "login loca"  under the line console 0 and line vty 0 15 lines in order to use the local user account configured on the device to access the device if AAA is down?

 

aaa authentication login default group tacacs+ local line enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Re: Is login local command under vty and console needed if AAA?

Heres a working one may help when ACS server is down it reverts back to username and local passwords

 

aaa group server tacacs+ XLNX
 server-private X.X.X.X key 7 151F4E36366F237D2A64637F404632483002187F7D
 server-private X.X.X.X key 7 1214402D204E045D287C7275607406583642422678
 ip vrf forwarding Mgmt-vrf
 ip tacacs source-interface GigabitEthernet0/0/5
!
aaa authentication login default group XLNX local enable
aaa authentication enable default group XLNX enable
aaa authorization exec default group XLNX local
aaa accounting exec default start-stop group XLNX
aaa accounting commands 0 default start-stop group XLNX
aaa accounting commands 1 default start-stop group XLNX
aaa accounting commands 15 default start-stop group XLNX
aaa accounting network default start-stop group XLNX
aaa accounting connection default start-stop group XLNX
aaa accounting system default start-stop group XLNX


line vty 0 4
 exec-timeout 30 0
 length 0
 transport input ssh

 

username netadmin secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx

View solution in original post

4 REPLIES 4
VIP Expert

Re: Is login local command under vty and console needed if AAA?

No, you don't.  As long as you have a local user name and password on the device, you should be good to go.

HTH

VIP Mentor

Re: Is login local command under vty and console needed if AAA?

Heres a working one may help when ACS server is down it reverts back to username and local passwords

 

aaa group server tacacs+ XLNX
 server-private X.X.X.X key 7 151F4E36366F237D2A64637F404632483002187F7D
 server-private X.X.X.X key 7 1214402D204E045D287C7275607406583642422678
 ip vrf forwarding Mgmt-vrf
 ip tacacs source-interface GigabitEthernet0/0/5
!
aaa authentication login default group XLNX local enable
aaa authentication enable default group XLNX enable
aaa authorization exec default group XLNX local
aaa accounting exec default start-stop group XLNX
aaa accounting commands 0 default start-stop group XLNX
aaa accounting commands 1 default start-stop group XLNX
aaa accounting commands 15 default start-stop group XLNX
aaa accounting network default start-stop group XLNX
aaa accounting connection default start-stop group XLNX
aaa accounting system default start-stop group XLNX


line vty 0 4
 exec-timeout 30 0
 length 0
 transport input ssh

 

username netadmin secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx

View solution in original post

Highlighted
Contributor

Re: Is login local command under vty and console needed if AAA?

Thanks you da man!
So "line" after "local" in my first line really necessary?
VIP Mentor

Re: Is login local command under vty and console needed if AAA?

No its local that's important so it refers back to the local db usernames should work fine without line , I took that off one of my prod routers so I know it works as is , that's using a vrf as well if your not using the mgmt. vrf you don't require that bit either
CreatePlease to create content
Content for Community-Ad