Tacacs fall back to local doesn't work

Unanswered Question
Aug 5th, 2008
User Badges:

Hello,

I have this configuration, and the fall back to local doess't seems to work (using telnet or ssh):

username admin privilege 15 password ugawdfugagdfqfqfiqgfigqf

aaa new-model

aaa authentication login VTY-access group tacacs+ local

aaa accounting exec accounting start-stop group tacacs+

aaa accounting commands 1 accounting start-stop group tacacs+

aaa accounting commands 15 accounting start-stop group tacacs+

aaa accounting connection accounting start-stop group tacacs+

tacacs-server host 1.2.3.4

tacacs-server key khdhdfhahsfklhas

line vty 0 15

no password

 exec-timeout 15 0

privilege level 15

 accounting connection accounting

 accounting commands 1 accounting

 accounting commands 15 accounting

 accounting exec accounting

 login authentication VTY-access


line con 0

no password

exec-timeout 15 0

privilege level 15

accounting connection accounting

 accounting commands 1 accounting

 accounting commands 15 accounting

 accounting exec accounting

 login authentication VTY-access


Thank's for your help

Blaise

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Tue, 08/05/2008 - 06:36
User Badges:
  • Silver, 250 points or more

Is the TACACS servers reachable from this device ?

If yes, then it might not fall back to LOCAL.


If this is a test setup, then you may try disconnecting the Tacacs server from the network and then test.

b.bersier Tue, 08/05/2008 - 06:40
User Badges:

I tried to stop the services on the ACS CE 4.2 it did not used fall back, and then a change the IP address of the tacacs server to a false IP, and still it doesn't fall back.

francisco_1 Tue, 08/05/2008 - 06:44
User Badges:
  • Gold, 750 points or more

aaa new-model

tacacs-server host [tacacs ip address]

tacacs-server key [secret key]

aaa authentication login default group tacacs+ local

username [local user name] password [local user password]



aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+


remove all your exisiting entries and try just the above....


Make sure your device have reachbility to the tacaces server.

Richard Burts Tue, 08/05/2008 - 08:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Blaise


You describe that the fallback does not work when using telnet and ssh. Does it work on the console?


You describe in general that fall back does not work. Can you give us a bit more specifics about how it is not working? When you attempt access are you getting a prompt for ID and password? If you enter ID and password are you sure that it is the correct password? If you enter an ID and password can you tell us exactly what error message you get?


If we know these things we may be closer to finding your problem.


HTH


Rick

b.bersier Fri, 10/17/2008 - 04:36
User Badges:

Hi Rick,

Sorry I was away for a long time.

The tests will restart soon.

I will give a feed back soon

Cheers

Blaise

Actions

This Discussion