AAA & local login

Answered Question
Feb 12th, 2008

Hi,

I've got a curious problem.

If I use the following line in my configs:

aaa authentication login default group tacacs+ local

and a locally configured usernam/password as follows:

username test password abc123

the ACS server will authenticate the login request ok every time. but if you try and log-in with the local username it fails. If you disconnect the ACS server then the local username and password will work.

Presumably the ACS server sees that there is no username that matches this local one and fails the attempt.

Is there a way to make it return to the router and make it use the local username?

Thanks for you help.

Ray

I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 8 years 10 months ago

Ray,

Actually it is by design. The router will fall back only in the case when there is no response from acs server.

If acs cannot locate any user, it will say "user not found" to router , so router will not check its database.

If there is no reply from acs ,router will get "error" as a return value, so it will then check its local database for that user.

Hope that helps !

Regards,

~JG

Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
cisco24x7 Tue, 02/12/2008 - 06:38

local account "test" is the fall-back method in

case the ACS become un-available.

CCIE Security.

Correct Answer
Jagdeep Gambhir Tue, 02/12/2008 - 07:12

Ray,

Actually it is by design. The router will fall back only in the case when there is no response from acs server.

If acs cannot locate any user, it will say "user not found" to router , so router will not check its database.

If there is no reply from acs ,router will get "error" as a return value, so it will then check its local database for that user.

Hope that helps !

Regards,

~JG

Do rate helpful posts

m.sir Thu, 02/14/2008 - 05:24

Just quick addition

Router asks first tacacs (ACS) if doesnt reply in specified time (there is some default value - can be changed with command tacacs-server timeout) than continue to second tacacs (ACS)(if second is configured)if no response in timeout router goes to local authentication

M.

Hope that helps rate if it does

Premdeep Banga Sun, 03/02/2008 - 11:47

May be i am replying this too late, but there is a way to get both working, given if nothing has been changed in the code, which i have seen lately in few cases.

Issue command,

aaa authentication login default local group tacacs+

The above command will let both local and tacacs accounts to work. But ensure that local and tacacs accounts does not have same username.

Login behind this is,

first router will look up its local database, if a user is not found then router returns the code "ERROR". And "ERROR" is the code responsible for aaa statement to look for the next method available i.e. tacacs as per the command.

But other way around is not correct. That is, if you have command,

aaa authentication login default group tacacs+ local

Then if the account does not exist on the tacacs server, then tacacs server returns an error code "FAIL" not "ERROR", so it never looks local database on Router.

But when Tacacs server is not available, the router times out and generates error code "ERROR", which lets router checks its local database.

Regards,

Prem

Actions

This Discussion