Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3178
Views
5
Helpful
5
Replies

unable to login via radius user and switch local username

getaway51
Level 2
Level 2

‎11-05-2019 06:34 PM

Hi,

 

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable

 

username admin1 password 7 13173623092A256658743630

 

I am trying to login to the switch using tacacs but due to tacacs server issue, i cant login. Therefore I tried to login using local username admin1 but it rejected as well.

Am i correct to say that if tacacs server down, username "admin1" can login using unencrypted password above?

 

Labels:
0 Helpful
5 Replies 5

luis_cordova
VIP Alumni
VIP Alumni

‎11-05-2019 07:24 PM

Hi @getaway51 

 

Am i correct to say that if tacacs server down, username "admin1" can login using unencrypted password above?

 

You are correct


Maybe you could give more background to try to find out why the device does not allow logging.

 

Regards

 

0 Helpful

getaway51
Level 2
Level 2
In response to luis_cordova

‎11-05-2019 09:29 PM

Hi,

 

Currently i cant login via tacacs and also not via the local user-admin1. not sure why

Anyway if i plug in console, do i use tacacs or local user?

0 Helpful

Meheretab Mengistu
Level 7
Level 7
In response to getaway51

‎11-05-2019 10:33 PM

 

It looks like the device could reach to the tacacs server, but user authentication failed. As a result, it could not failover to local database. It could be due to either mis-configuration of tacacs on the switch, or failed authentication. 

 

You can attempt login on console port using local username/password. If it is not working, I would login to the upstream switch/router: block traffic from the switch to the tacacs server using ACL (be careful when you write the ACL), login using the local username/password, and double check the tacacs configuration on the switch.

 

HTH,

Meheretab

HTH,
Meheretab

getaway51
Level 2
Level 2
In response to Meheretab Mengistu

‎11-05-2019 11:22 PM

Hi,

 

Does it means login via console port must use local username or tacacs? 

Wht CLI define this?

0 Helpful

Meheretab Mengistu
Level 7
Level 7
In response to getaway51

‎11-06-2019 10:33 AM

 

From the configuration you shared, aaa authentication login default group tacacs+ local, I saw that you are using the default list which is applied to all login connections (such as vty, console, aux). As a result, login from console is also authenticated using tacacs server followed by local. 

 

If you want to read more, please look at the following page:-  https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html#login_auth

 

HTH,

Meheretab

HTH,
Meheretab
0 Helpful
Customers Also Viewed These Support Documents