How to fallback to console login when TACACS server down?

Unanswered Question

Thanks to all, I appreciate your help!

I have a 4006 CatOS switch running 6.3, I can telnet and authenticate via TACACS servers, how do I make sure I'm able to serial console to the switch in the event IP connectivity to the TACACS servers is lost or the TACACS servers are down? This the AAA config:


#authentication

set authentication login tacacs enable telnet primary

set authentication login tacacs enable http primary

set authentication enable tacacs enable telnet primary

set authentication enable tacacs enable http primary

set authentication login attempt 5 console

!


#authorization

set authorization exec enable tacacs+ deny console

set authorization exec enable tacacs+ deny telnet

set authorization enable enable tacacs+ deny console

set authorization enable enable tacacs+ deny telnet

set authorization commands enable all tacacs+ deny console

set authorization commands enable all tacacs+ deny telnet

end


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

If you enter the following lines in, Console access will be made to user local credentials.


set authentication login local enable console


Also create a local user to authenticate with.


set localuser user jsmith password j5m1th privilege 15



The account when you log in will be in enable mode instantly. If you dont want this, and would like the console user to enter an enable password, enter the localuser without privilege 15, and also set AAA to have a enable fall back also. Example below.


set localuser user jsmith password j5m1th

set authentication login local enable console

set authentication enable local enable console


I see you are using "Attempt 5 console", I would recommend you use lockout. This will allow a user to retry in 15 minutes.


set authentication login lockout 900


Kind Regards.

Actions

This Discussion