ACS TACACS , if ACS is down question

Unanswered Question
Jun 1st, 2007

If the router or switch is configured to use TACACS and points to an ACS server, what does the device use for authentication if the ACS is down?

Does it use the local username and enable secret?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Joe Clarke Fri, 06/01/2007 - 21:19

Depends on what you have configured. For example:

aaa authentication login default group tacacs+ local

Will fallback to local authentication if the AAA server is down. You can have it fallback to the line password, enable password, etc.

wilson_1234_2 Sat, 06/02/2007 - 09:13


A couple of questions:

This shows up on the RME home page, under Recently Completed Jobs:

I have a Archive poll job configured along with an Archive update job.

The archive poll runs before the update job.

The Archive update completes successfully on 27 items, but the update job fails with one item being only partially successful.

The reason on the item is:

Error polling for change on Primary Startup Config, not fetching the config.

It is using telnet as the protocol.

Whay would RME not be able to get the startup config if it can get everything else?

This shows up under Collection Status:

Inventory 27 Items

Config Archive:

27 success

0 failed

0 partially successful

4 out of sync

On the out of sync items, if you check them you can select "Sync on Device"

Is this recommended to do?

Joe Clarke Sat, 06/02/2007 - 09:41

Please start a new thread for this. This has nothing to do with AAA fallback mechanisms.

mohammedmahmoud Fri, 06/01/2007 - 23:25

Hi Wilson,

As Joe stated it depends on what you've configured, i strongly recommend that you use "aaa authentication login default group tacacs+ local" to be able to use the local usernames if the TACACS is down, as i've seen many cases that the customers failed to access their routers in critical situations because they have not included the local keyword in the aaa configuration.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

wilson_1234_2 Fri, 06/08/2007 - 07:34

I have th following config:

aaa authentication login default group tacacs+ local

aaa authentication login CON line none

aaa authentication enable default group tacacs+ enable

aaa authentication eou default group radius

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

When tacacs is unavailable and you try to log in, the device asks for a username still, I do not see a user configured on any of the devices.

How do I know which username to use if tacacs is down?

Joe Clarke Fri, 06/08/2007 - 07:38

You have to configure local usernames on your device. For example:

username marcus password marcus123

wilson_1234_2 Fri, 06/08/2007 - 08:11

Thanks J,

Why would they configure the device to use local authentication if tacacs was not available, and not configure the usernames and passwords?

Joe Clarke Fri, 06/08/2007 - 08:13

Who are, "they?" If you mean previous administrators, perhaps they did not know what the "local" keyword meant.

wilson_1234_2 Fri, 06/08/2007 - 08:17

Yes, you know...

That mysterious group of people that knows and does everything.

Really though, the guys (consultants) who built this network.

I guess I need to go to each device and configure a username and password.

Man, have I learned a lot from you guys in the last year.

I appreciate the reply

wilson_1234_2 Fri, 06/08/2007 - 09:46

So j,

With this type of config, if tacacs is unavailable:

The idea is you get in locally with the username and password in the config, then use the enable or enable-secret configured?

wilson_1234_2 Fri, 06/08/2007 - 10:42


If tacacs is available, can you still use the local access accounts or will the device force you to use tacacs if the server is up?

Joe Clarke Fri, 06/08/2007 - 10:44

You will need to use the TACACS+ credentials if the AAA server is available.


This Discussion