I am trying to get my switches/routers/etc to use aaa to restrict access to configuration of my network devices. I have the aaa authenticating to ACS v3.3 now, but for some reason my local user no longer works. I would like to have the option of a local login just in case my ACS becomes unavailable.
My config on a 2950 is...
no service pad
service timestamps debug uptime
service timestamps log uptime
aaa authentication login GPRC-Access group tacacs+ local enable none
aaa authorization exec GPRC-Access group tacacs+ local
aaa authorization network GPRC-Access group tacacs+ local
aaa accounting exec GPRC-Access start-stop group tacacs+
aaa accounting network GPRC-Access start-stop group tacacs+
enable secret xxx
enable password xxx
username admin privilege 15 secret xxx
tacacs-server host 172.20.2.25 key xxx
tacacs-server key xxx
line vty 0 4
exec-timeout 15 0
authorization exec GPRC-Access
accounting exec GPRC-Access
login authentication GPRC-Access
line vty 5 15
The only time the local user will work is when your TACACs server is unavailable. You can test by putting in the wrong TACACs key and establishing a new seeiosn. Make sure you keep the original session open just in case :-)
HTH and please rate.