Solved: WLC TACACS+ fall backfeature

umeshunited · ‎07-11-2018

We are using aaa login method list on wlc , for which TACACS will be first and local will be second method.

What should be the tacacs fall back parameter ?

Flavio Miranda · ‎07-11-2018

I think you are misunderstanding the feature. When you have TACACS and Local this means that if TACACS is not available, you can use local user. If TACACS is available you should use TACACS. This is it, you don't need to setup anything besides that.

Fallback mode is a different thing. This work like a preempt. Let´s say you have two server: A an B.

If server A becomes unavailable, the WLC will send TACACS request to server B.

If Fallback Mode is disabled, when server A come back to life, WLC will continue to send TACACS request to B and A will be a backup server.

If Fallback Mode is Enabled, when server A come back to life, WLC will stop send TACACS request to B and will start send TACACS request to server A.

Hope I was clear.

-If I helped you somehow, please, rate it as useful.-

View solution in original post

Flavio Miranda · ‎07-11-2018

Hi

If I understood you right, fallback means what you want to happen when you server become unavailable:

Off—Disables RADIUS server fallback. This is the default value. Same for TACACS.
Passive—Causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
Active—Causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller ignores all inactive servers for all active RADIUS requests. If probing is enabled, the RADIUS server will be probed at every probing time interval irrespective of the probe response having been received or not. For more information, see CSCvc01761.

-If I helped you somehow, please, rate it as useful.-

umeshunited · ‎07-11-2018

Hi Flavio

I have set auth order as mentioned in attached Snap. If tacacs is down , local user database will be used.

Now when tacacs is restored , i want user to be authenticated by tacacs server.

For that tacacs+ fall back parameter has only two value. enable/disable.

What should I choose ?

Flavio Miranda · ‎07-11-2018

I think you are misunderstanding the feature. When you have TACACS and Local this means that if TACACS is not available, you can use local user. If TACACS is available you should use TACACS. This is it, you don't need to setup anything besides that.

Fallback mode is a different thing. This work like a preempt. Let´s say you have two server: A an B.

If server A becomes unavailable, the WLC will send TACACS request to server B.

If Fallback Mode is disabled, when server A come back to life, WLC will continue to send TACACS request to B and A will be a backup server.

If Fallback Mode is Enabled, when server A come back to life, WLC will stop send TACACS request to B and will start send TACACS request to server A.

Hope I was clear.

-If I helped you somehow, please, rate it as useful.-

umeshunited · ‎07-12-2018

Thank you Flavio, I get it now.