Nexus - can you have both Tacacs+ and local login

t812313 · ‎09-27-2013

Is it possible to have both tacacs+ and local login running on the Nexus Platform, without the tacacs+ failing to reach the server and local login then accepted? We are managing devices for a client and they are using tacacs+ authentication but we need to have a local login running as well so that we can connect with Cisco Works to pull configs etc, but Cisco works has a default username and password to connect in, thus the local account. We need to be able to have either method work at the same time.

Thanks

Richard Burts · ‎09-27-2013

In general it is not possible to use TACACS for authentication and at the same time also use local authentication. But there are ways to achieve this. You could configure the default authentication method to use TACACS (probably with local as a backup method) and also configure another named authentication method which uses only local authentication. You let most of the vty ports use the default authentication method and you configure a single vty port to use the alternate named authentication method. So when you connect to that one vty it will use local username but other vty will use TACACS.

So then the challenge is how to have Cisco Works use the different vty port? A technique that I have used is to configure most of the vty to use only SSH and to configure the one vty to use telnet. Then you configure Cisco Works to use telnet. I have used this and it worked (on regular IOS devices). I have not used this on Nexus but I assume that it would also work on the Nexus.

HTH

Rick

HTH

Rick

Marvin Rhoads · ‎09-27-2013

A best practice approach would be to create a service account in the TACACS+ server identitity store (local or AD or whatever). The management system then uses the service account to loginto devices with TACACS authentication.

CiscoWorks LMS (or Prime LMS) can use multiple credential sets.