If ACS server down no local authentication

Unanswered Question
Jun 15th, 2008
User Badges:
  • Bronze, 100 points or more

noticed when my two tacacs servers are unreachable I can not login withlocal username, after the tacacs-server timeout (5 sec each) shouldn't it lookat local username admin?


(changed hostnames/keys for security)

username adminprivilege 15 secret 5 <removed>


old

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

tacacs-server host 10.10.0.10 key 7096F5C090B16291319

tacacs-server host 10.10.0.56 key 7096F5C090B16291319

tacacs-server directed-request

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Sun, 06/15/2008 - 21:24
User Badges:
  • Red, 2250 points or more

Check the following:


1) username adminprivilege 15 secret 5


username admin privilege 15 secret 5


2) Make sure both AAA servers are unreachable, a good way is the 'test aaa' command.


3) Check the following debugs, and if possible post here:


debug aaa authentication

debuga aa authorization


Are you logging via console or VTY?


Regards


Farrukh

Richard Burts Sun, 06/22/2008 - 07:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jason


I believe that I have been bitten by this issue before myself. I believe that if you look carefully when you attempt to login and the TACACS servers are not available, that the error message that you get is authorization failure where we would generally expect to see authentication failure.


I believe that the issue is in your configuration of aaa authorization. You currently have this configured:

aaa authorization exec default group tacacs+ local


I would suggest that you change it to this:

aaa authorization exec default group tacacs+ if-authenticated


Give it a try and let us know if it works better.


HTH


Rick

Actions

This Discussion