Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1059
Views
8
Helpful
6
Replies

tacacs configuration

Go to solution
prashantrecon
Level 1
Level 1

‎05-29-2013 11:49 PM - edited ‎03-07-2019 01:38 PM

Hi ,

currenty i have configured tacacs on cisco 2960 switchs like

aaa authentication login default group tacacs+ local none

tacacs-server host 172.16.6.6 key 7 030A52030F0324425A584B5123

and there are no local users on switchs.

Now i am having problem whenever my tacacs server goes down.

can anyone guide how to login in my switch (telnet) with local user name and password when my tacas goes down.

what chages i have to do  on my switchs.

Please explain with any example.

Regards,

Prashant

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
InayathUlla Sharieff
Cisco Employee
Cisco Employee

‎05-30-2013 12:19 AM

Hi Prashant,

If you configure the following command:

aaa authentication login default local group tacacs+

If you input "local" argument on the command before the "group tacacs+" you should be able to access the IOS device with both Local Username/Password and TACACS+ Username/Password even when the TACACS+ server is up and running.

The above behavior can only be triggered when using LOCAL IOS database and then TACACS+. If you input "line" before "group tacacs+" the IOS will only ask for the LINE password when authenticating. It will only ask for TACACS+ credentials if the "line vty 0 15" has no password configured.

Some Ref:

http://my.safaribooksonline.com/book/networking/cisco-ios/0596527225/tacacsplus/i91663__heada__4_4

http://www.gregledet.net/?p=220

Hope this helps.

Regards

Inayath

View solution in original post

0 Helpful
6 Replies 6

Go to solution
InayathUlla Sharieff
Cisco Employee
Cisco Employee

‎05-30-2013 12:19 AM

Hi Prashant,

If you configure the following command:

aaa authentication login default local group tacacs+

If you input "local" argument on the command before the "group tacacs+" you should be able to access the IOS device with both Local Username/Password and TACACS+ Username/Password even when the TACACS+ server is up and running.

The above behavior can only be triggered when using LOCAL IOS database and then TACACS+. If you input "line" before "group tacacs+" the IOS will only ask for the LINE password when authenticating. It will only ask for TACACS+ credentials if the "line vty 0 15" has no password configured.

Some Ref:

http://my.safaribooksonline.com/book/networking/cisco-ios/0596527225/tacacsplus/i91663__heada__4_4

http://www.gregledet.net/?p=220

Hope this helps.

Regards

Inayath

0 Helpful

Go to solution
Jan Rolny
Level 3
Level 3
In response to InayathUlla Sharieff

‎05-30-2013 12:28 AM

Hi Inayath,

isn't your text copied from another discussion?

https://supportforums.cisco.com/thread/2068021

Regards,

Jan

0 Helpful

Go to solution
Jan Rolny
Level 3
Level 3

‎05-30-2013 12:24 AM

Hello Prashant,

i think you need configure local username and password.

Then you should have configured aaa new-model.

aaa authentication login default group tacacs+ local none

This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

It is described here http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfathen.html#wp1017794

Please check if enable password is specified.

I would recommend you to create local user and if tacacs server will be down you will be able to access via local user.

Best Regards,

Jan

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎05-30-2013 12:33 AM

Hello Prashant,

All you need are these commands e.g.

aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
!
username BackupAdmin privilege 15 secret 5 xxxxxxxxxxxxx
!
tacacs-server host 192.168.1.3 key 7 xxxxxxxxxxxxxxx
tacacs-server host 192.168.2.3 key 7 xxxxxxxxxxxxxxx

you can also add this:

Router(config)# line console 0
Router(config-line)# login authentication default
Router(config)# line vty 0 15
Router(config-line)# login authentication default

Please see: http://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/

Hope this helps

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Bilal Nawaz

‎05-30-2013 02:42 AM

Hello

@ Bilal

You do not need to add login authentication default on the line interfaces as  its enabled by default when the default keyword is used, you only have to do it when you specify a name other than default in AAA

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to paul driver

‎05-30-2013 03:11 AM

Hello Paul, nice hearing from you again.

For sure, you are correct :-)

I must have been in a rush, where I said 

you can also add this:

I totally forgot to type the rest of the sentance - you can also add this if you was to create custom means of authentication method list for these lines

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card