Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
5
Helpful
3
Replies

WLC s/w v4.1 and TACACS unreachable

MARK HEUZENROEDER
Level 1
Level 1

‎10-10-2007 01:48 AM - edited ‎07-03-2021 02:44 PM

In,

Cisco WLC_Config Guide_Web & CLI_Release 4.1

it says,

"If the TACACS+ authorization server becomes unreachable or unable to authorize, users are unable to log into the controller."

Does this mean it does not support a fail-safe password like IOS does where the Enable password can be used to get into a router if TACACS+ is unreachable?

Labels:
0 Helpful
3 Replies 3

pmccubbin
Level 5
Level 5

‎10-10-2007 06:49 AM

Hi Mark,

No, the local database is always queried first.

Please read Chapter 5 and the section on configuring TACACS:

"You can specify the order of authentication when multiple databases are configured, click Security > Priority Order > Management User. The Priority Order > Management User page will appear."

It goes on further to explain:

For Authentication Priority, choose either Radius or TACACS+ to specify which server has priority over the other when the controller attempts to authenticate management users. By default, the local database is always queried first. If the username is not found, the controller switches to the TACACS+ server if configured for TACACS+ or to the RADIUS server if configured for Radius. The default setting is local and then Radius."

Hope this helps.

Paul

0 Helpful

MARK HEUZENROEDER
Level 1
Level 1
In response to pmccubbin

‎10-10-2007 02:41 PM

Hi Paul,

Thankyou for your clarification.

Now I realised I asked a silly question.

I can't see the value in Cisco's statement,

"If the TACACS+ authorization server becomes unreachable or unable to authorize, users are unable to log into the controller."

They ***are*** able to if they know the local account credentials, right?

Regards, MH

0 Helpful

pmccubbin
Level 5
Level 5
In response to MARK HEUZENROEDER

‎10-11-2007 03:53 AM

Hi Mark,

Firstly, your question wasn't silly. Cisco documentation is notorious for sometimes being vague. I suppose if the same person wrote the documentation for every product there might be some recognizable consistency, but as we all know this is impossible.

Secondly, you are correct when you say that people are able to log into the controller if they know the local credentials.

Hope this helps.

Paul

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card