05-29-2013 11:49 PM - edited 03-07-2019 01:38 PM
Hi ,
currenty i have configured tacacs on cisco 2960 switchs like
aaa authentication login default group tacacs+ local none
tacacs-server host 172.16.6.6 key 7 030A52030F0324425A584B5123
and there are no local users on switchs.
Now i am having problem whenever my tacacs server goes down.
can anyone guide how to login in my switch (telnet) with local user name and password when my tacas goes down.
what chages i have to do on my switchs.
Please explain with any example.
Regards,
Prashant
Solved! Go to Solution.
05-30-2013 12:19 AM
Hi Prashant,
If you configure the following command:
aaa authentication login default local group tacacs+
If you input "local" argument on the command before the "group tacacs+" you should be able to access the IOS device with both Local Username/Password and TACACS+ Username/Password even when the TACACS+ server is up and running.
The above behavior can only be triggered when using LOCAL IOS database and then TACACS+. If you input "line" before "group tacacs+" the IOS will only ask for the LINE password when authenticating. It will only ask for TACACS+ credentials if the "line vty 0 15" has no password configured.
Some Ref:
http://my.safaribooksonline.com/book/networking/cisco-ios/0596527225/tacacsplus/i91663__heada__4_4
http://www.gregledet.net/?p=220
Hope this helps.
Regards
Inayath
05-30-2013 12:19 AM
Hi Prashant,
If you configure the following command:
aaa authentication login default local group tacacs+
If you input "local" argument on the command before the "group tacacs+" you should be able to access the IOS device with both Local Username/Password and TACACS+ Username/Password even when the TACACS+ server is up and running.
The above behavior can only be triggered when using LOCAL IOS database and then TACACS+. If you input "line" before "group tacacs+" the IOS will only ask for the LINE password when authenticating. It will only ask for TACACS+ credentials if the "line vty 0 15" has no password configured.
Some Ref:
http://my.safaribooksonline.com/book/networking/cisco-ios/0596527225/tacacsplus/i91663__heada__4_4
http://www.gregledet.net/?p=220
Hope this helps.
Regards
Inayath
05-30-2013 12:28 AM
Hi Inayath,
isn't your text copied from another discussion?
https://supportforums.cisco.com/thread/2068021
Regards,
Jan
05-30-2013 12:24 AM
Hello Prashant,
i think you need configure local username and password.
Then you should have configured aaa new-model.
aaa authentication login default group tacacs+ local none
This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
It is described here http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfathen.html#wp1017794
Please check if enable password is specified.
I would recommend you to create local user and if tacacs server will be down you will be able to access via local user.
Best Regards,
Jan
05-30-2013 12:33 AM
Hello Prashant,
All you need are these commands e.g.
aaa new-model ! aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local ! username BackupAdmin privilege 15 secret 5 xxxxxxxxxxxxx ! tacacs-server host 192.168.1.3 key 7 xxxxxxxxxxxxxxx tacacs-server host 192.168.2.3 key 7 xxxxxxxxxxxxxxx
you can also add this:
Router(config)# line console 0
Router(config-line)# login authentication default
Router(config)# line vty 0 15
Router(config-line)# login authentication default
Please see: http://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/
Hope this helps
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
05-30-2013 02:42 AM
Hello
@ Bilal
You do not need to add login authentication default on the line interfaces as its enabled by default when the default keyword is used, you only have to do it when you specify a name other than default in AAA
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
05-30-2013 03:11 AM
Hello Paul, nice hearing from you again.
For sure, you are correct :-)
I must have been in a rush, where I said
you can also add this:
I totally forgot to type the rest of the sentance - you can also add this if you was to create custom means of authentication method list for these lines
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide