Telnet to switches when AAA server is down

Unanswered Question
Feb 8th, 2008

Is it possible to configure switches to allow telnet when AAA servers are down? I can get into switches via console cable with both servers down since the switch will failover to the enable password. Is it possible to have telnet sessions failover as well? If for some reason both servers should go down I would like to still be able to telnet to devices using vty passwords.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Fri, 02/08/2008 - 09:43

What you want to do is allow AAA to use the local database of users if it can not contact the AAA server. For example:

aaa authentication login myco_tacacs group tacacs+ local

Here the local keyword is used as the second form of auth in case the first is unavailable. You will also need to create a local username. For example:

username ceclark secret LeTsGoRaNgErS

Make sure lab this out before putting it into production or you may/will lock yourself out!


Goutam Sanyal Fri, 02/08/2008 - 23:58


Yes it is possiable.

You can configure the following:

#conf t

#aaa new-model

#aaa authentication login default local

#aaa authorization exec default local

#username goutams privilege 15 secret 5 password

The above will allow you to login locally with the specified user name & password.

Suggesting you pls make a clear R&D before live it with production network.



Pls rate if it works.

Richard Burts Mon, 02/11/2008 - 05:47


I would like to offer a refinement of the suggestion from Colin which I think will fit your stated requirements a bit better. Colin suggested:

aaa authentication login myco_tacacs group tacacs+ local

and I would suggest:

aaa authentication login default group tacacs+ line

The suggestion from Colin specifies a named method of myco_tacacs and you would need to specify this under the vty lines

login authentication myco_tacacs

whereas if you make it the default then no additional configuration is required under the vty. And Colin's suggestion would require configuration of local IDs and passwords where you asked about using the line passwords.

Note that the suggestion from Goutam would force all authentication to use the local configured IDs and passwords and would not use your AAA servers at all.




This Discussion