AAA configuration assitance needed

Unanswered Question
May 18th, 2007
User Badges:

I am trying to setup TACACS authentication on a Cisco switch. I want the primary method to use TACACS for authentication, and I want the local username that I define in the switch to take over authentication should the AAA server become unavailable. I also would like for the enable password to use the same as my TACACS password. I'm not sure how to setup the enable pw to do this. What is the command? If I do a "aaa authentication enable default", the only options after that are "enable", "group", "line" and "none". Is there a way I can make the enable password use the TACACS pw, and use the local database pw if TACACS is unavailable?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Fri, 05/18/2007 - 11:41
User Badges:
  • Red, 2250 points or more

Here are the commands that you would need,

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ none

On ACS ---> user set up---> Go to TACACS+ Enable Password

Click on "Use CiscoSecure PAP password"

Hope that helps !


Premdeep Banga Mon, 05/21/2007 - 17:28
User Badges:
  • Gold, 750 points or more

If you need that you should be able to use device's enable password when TACACS server is unavailable, then I would suggest to change the command,

aaa authentication enable default group tacacs+ none


aaa authentication enable default group tacacs+ enable

Rest remains the same.




This Discussion