WLC s/w v4.1 and TACACS unreachable

Unanswered Question
Oct 10th, 2007

In,

Cisco WLC_Config Guide_Web & CLI_Release 4.1

it says,

"If the TACACS+ authorization server becomes unreachable or unable to authorize, users are unable to log into the controller."

Does this mean it does not support a fail-safe password like IOS does where the Enable password can be used to get into a router if TACACS+ is unreachable?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
pmccubbin Wed, 10/10/2007 - 06:49

Hi Mark,

No, the local database is always queried first.

Please read Chapter 5 and the section on configuring TACACS:

"You can specify the order of authentication when multiple databases are configured, click Security > Priority Order > Management User. The Priority Order > Management User page will appear."

It goes on further to explain:

For Authentication Priority, choose either Radius or TACACS+ to specify which server has priority over the other when the controller attempts to authenticate management users. By default, the local database is always queried first. If the username is not found, the controller switches to the TACACS+ server if configured for TACACS+ or to the RADIUS server if configured for Radius. The default setting is local and then Radius."

Hope this helps.

Paul

MARK HEUZENROEDER Wed, 10/10/2007 - 14:41

Hi Paul,

Thankyou for your clarification.

Now I realised I asked a silly question.

I can't see the value in Cisco's statement,

"If the TACACS+ authorization server becomes unreachable or unable to authorize, users are unable to log into the controller."

They ***are*** able to if they know the local account credentials, right?

Regards, MH

pmccubbin Thu, 10/11/2007 - 03:53

Hi Mark,

Firstly, your question wasn't silly. Cisco documentation is notorious for sometimes being vague. I suppose if the same person wrote the documentation for every product there might be some recognizable consistency, but as we all know this is impossible.

Secondly, you are correct when you say that people are able to log into the controller if they know the local credentials.

Hope this helps.

Paul

Actions

This Discussion

 

 

Trending Topics - Security & Network