Thanks. That is what I needed.

Please mark it resolved , so other can benefit from it.

If I have understood the original post then I do not believe that it is an issue of login local. If aaa new-model is configured so that the vty will authenticate to ACS then it also means that the console will authenticate with the default authentication method - which is probably set to TACACS.

If you do not want the console to authenticate with tacacs then try configuring this:

aaa authentication login consoleauth line

line con 0

login authentication consoleauth

HTH

Rick

Opps sorry my bad.

Rick is 100% correct here, we need to make method list for console.

Thanks for correction Rick

JG

no problem. we all help to keep each other straight. that is part of what makes the forum so very good.

HTH

Rick

Gentlemen

Let me take this a step furthur. If I configure the following statement, does this not roll back the local userbase if in fact tacacs does not respond?

aaa authentication default group tacacs local

I had moved forward and configured this on not only the vty lines (which are the most vulnerable to UA attempts), but on the console line as well by using:

router#line con 0

router-line#login authentication default

Thanks for the both of your participation in this. I look forward to your response. I want my customers networks to be as secure as possible.

Kevin

Kevin

Perhaps it is a terminology thing but I am not clear what you are asking when you say:"does this not roll back the local userbase if in fact tacacs does not respond".

So let me respond by saying what that command will do.

aaa authentication default group tacacs local

will attempt to authenticate with configured tacacs server(s) and if there is no response from tacacs or if the response from tacacs is error (note that fail is a very different response than error) then it will attempt to authenticate with locally configured userID and password. If attempting local authentication and if the entered userID does not exist in the locally configured set of users or if the entered password does not match the configured password for the userID entered then authentication will fail.

HTH

Rick

Yes my terminology may be not as concise as it should have been. Your answer however is a great and thorough answer, Rick. In the event that the tacacs daemon (in my case the ACS box) cannot be reached because he is down, then the local username and password (which I had called a userbase incorrectly i suppose) will be used. Whereas if tacacs does respond and it is a REJECT, then the user is not authenticated and is not allowed access.

Great job!

Kevin

Kevin

Thank you for the compliment. I am really gratified when someone expresses appreciation for my response.

I try to not say that someone's terminology is wrong because they may be speaking in some context I am not familiar with or have something in their background that gives the term meaning. So if I do not understand it I generally say it is not clear to me and ask for clarification. In this case I was pretty clear what you meant with userbase. What I did not understand was ROLL BACK the userbase.

I am glad that I was able to explain the functionality in a way that made sense to you.

HTH

Rick