cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1841
Views
0
Helpful
4
Replies

AAA & local login

raycourtney
Level 1
Level 1

Hi,

I've got a curious problem.

If I use the following line in my configs:

aaa authentication login default group tacacs+ local

and a locally configured usernam/password as follows:

username test password abc123

the ACS server will authenticate the login request ok every time. but if you try and log-in with the local username it fails. If you disconnect the ACS server then the local username and password will work.

Presumably the ACS server sees that there is no username that matches this local one and fails the attempt.

Is there a way to make it return to the router and make it use the local username?

Thanks for you help.

Ray

1 Accepted Solution

Accepted Solutions

Jagdeep Gambhir
Level 10
Level 10

Ray,

Actually it is by design. The router will fall back only in the case when there is no response from acs server.

If acs cannot locate any user, it will say "user not found" to router , so router will not check its database.

If there is no reply from acs ,router will get "error" as a return value, so it will then check its local database for that user.

Hope that helps !

Regards,

~JG

Do rate helpful posts

View solution in original post

4 Replies 4

cisco24x7
Level 6
Level 6

local account "test" is the fall-back method in

case the ACS become un-available.

CCIE Security.

Jagdeep Gambhir
Level 10
Level 10

Ray,

Actually it is by design. The router will fall back only in the case when there is no response from acs server.

If acs cannot locate any user, it will say "user not found" to router , so router will not check its database.

If there is no reply from acs ,router will get "error" as a return value, so it will then check its local database for that user.

Hope that helps !

Regards,

~JG

Do rate helpful posts

Just quick addition

Router asks first tacacs (ACS) if doesnt reply in specified time (there is some default value - can be changed with command tacacs-server timeout) than continue to second tacacs (ACS)(if second is configured)if no response in timeout router goes to local authentication

M.

Hope that helps rate if it does

Premdeep Banga
Level 7
Level 7

May be i am replying this too late, but there is a way to get both working, given if nothing has been changed in the code, which i have seen lately in few cases.

Issue command,

aaa authentication login default local group tacacs+

The above command will let both local and tacacs accounts to work. But ensure that local and tacacs accounts does not have same username.

Login behind this is,

first router will look up its local database, if a user is not found then router returns the code "ERROR". And "ERROR" is the code responsible for aaa statement to look for the next method available i.e. tacacs as per the command.

But other way around is not correct. That is, if you have command,

aaa authentication login default group tacacs+ local

Then if the account does not exist on the tacacs server, then tacacs server returns an error code "FAIL" not "ERROR", so it never looks local database on Router.

But when Tacacs server is not available, the router times out and generates error code "ERROR", which lets router checks its local database.

Regards,

Prem

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: