I've got a curious problem.
If I use the following line in my configs:
aaa authentication login default group tacacs+ local
and a locally configured usernam/password as follows:
username test password abc123
the ACS server will authenticate the login request ok every time. but if you try and log-in with the local username it fails. If you disconnect the ACS server then the local username and password will work.
Presumably the ACS server sees that there is no username that matches this local one and fails the attempt.
Is there a way to make it return to the router and make it use the local username?
Thanks for you help.
Actually it is by design. The router will fall back only in the case when there is no response from acs server.
If acs cannot locate any user, it will say "user not found" to router , so router will not check its database.
If there is no reply from acs ,router will get "error" as a return value, so it will then check its local database for that user.
Hope that helps !
Do rate helpful posts