If ACS server down no local authentication

Unanswered Question
Jun 15th, 2008

noticed when my two tacacs servers are unreachable I can not login withlocal username, after the tacacs-server timeout (5 sec each) shouldn't it lookat local username admin?

(changed hostnames/keys for security)

username adminprivilege 15 secret 5 <removed>

old

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

tacacs-server host 10.10.0.10 key 7096F5C090B16291319

tacacs-server host 10.10.0.56 key 7096F5C090B16291319

tacacs-server directed-request

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Sun, 06/15/2008 - 21:24

Check the following:

1) username adminprivilege 15 secret 5

username admin privilege 15 secret 5

2) Make sure both AAA servers are unreachable, a good way is the 'test aaa' command.

3) Check the following debugs, and if possible post here:

debug aaa authentication

debuga aa authorization

Are you logging via console or VTY?

Regards

Farrukh

Richard Burts Sun, 06/22/2008 - 07:26

Jason

I believe that I have been bitten by this issue before myself. I believe that if you look carefully when you attempt to login and the TACACS servers are not available, that the error message that you get is authorization failure where we would generally expect to see authentication failure.

I believe that the issue is in your configuration of aaa authorization. You currently have this configured:

aaa authorization exec default group tacacs+ local

I would suggest that you change it to this:

aaa authorization exec default group tacacs+ if-authenticated

Give it a try and let us know if it works better.

HTH

Rick

Actions

This Discussion