cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1574
Views
25
Helpful
14
Replies

ACS TACACS , if ACS is down question

wilson_1234_2
Level 3
Level 3

If the router or switch is configured to use TACACS and points to an ACS server, what does the device use for authentication if the ACS is down?

Does it use the local username and enable secret?

14 Replies 14

Joe Clarke
Cisco Employee
Cisco Employee

Depends on what you have configured. For example:

aaa authentication login default group tacacs+ local

Will fallback to local authentication if the AAA server is down. You can have it fallback to the line password, enable password, etc.

J,

A couple of questions:

This shows up on the RME home page, under Recently Completed Jobs:

I have a Archive poll job configured along with an Archive update job.

The archive poll runs before the update job.

The Archive update completes successfully on 27 items, but the update job fails with one item being only partially successful.

The reason on the item is:

Error polling for change on Primary Startup Config, not fetching the config.

It is using telnet as the protocol.

Whay would RME not be able to get the startup config if it can get everything else?

This shows up under Collection Status:

Inventory 27 Items

Config Archive:

27 success

0 failed

0 partially successful

4 out of sync

On the out of sync items, if you check them you can select "Sync on Device"

Is this recommended to do?

Please start a new thread for this. This has nothing to do with AAA fallback mechanisms.

mohammedmahmoud
Level 11
Level 11

Hi Wilson,

As Joe stated it depends on what you've configured, i strongly recommend that you use "aaa authentication login default group tacacs+ local" to be able to use the local usernames if the TACACS is down, as i've seen many cases that the customers failed to access their routers in critical situations because they have not included the local keyword in the aaa configuration.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Thanks again guys, I appreciate it.

I have th following config:

aaa authentication login default group tacacs+ local

aaa authentication login CON line none

aaa authentication enable default group tacacs+ enable

aaa authentication eou default group radius

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

When tacacs is unavailable and you try to log in, the device asks for a username still, I do not see a user configured on any of the devices.

How do I know which username to use if tacacs is down?

You have to configure local usernames on your device. For example:

username marcus password marcus123

Thanks J,

Why would they configure the device to use local authentication if tacacs was not available, and not configure the usernames and passwords?

Who are, "they?" If you mean previous administrators, perhaps they did not know what the "local" keyword meant.

Yes, you know...

That mysterious group of people that knows and does everything.

Really though, the guys (consultants) who built this network.

I guess I need to go to each device and configure a username and password.

Man, have I learned a lot from you guys in the last year.

I appreciate the reply

So j,

With this type of config, if tacacs is unavailable:

The idea is you get in locally with the username and password in the config, then use the enable or enable-secret configured?

Correct.

J,

If tacacs is available, can you still use the local access accounts or will the device force you to use tacacs if the server is up?

You will need to use the TACACS+ credentials if the AAA server is available.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: