Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
0
Helpful
4
Replies

AAA Authentication Issue

shawkatalvi
Level 1
Level 1

‎05-03-2009 08:20 PM - edited ‎03-04-2019 04:37 AM

Hi Guys,

I have config for AAA:

enable secret 5 $ $xxxxxxxxxxxxxxx

enable password 7 xxxxxxxxxxxxxxxx

!

username admin password 7 xxxxxxxxxxxxxx

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login console line

aaa authentication enable default group tacacs+ enable

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 15 default stop-only group tacacs+

!

aaa session-id common

line con 0

privilege level 15

password 7 xxxxxxxxxxxxxxxxxxxxxx

login authentication console

line vty 0 4

exec-timeout 120 0

password 7 xxxxxxxxxxxxxxxxxxxxxxxx

Problem is when the Router looses its connection to TACACS+ server, it can't authenticate user with the local authentication. For backup I would like to get authenticated into the router should the TACACS+ server is unreachable.

Thanks.

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-03-2009 09:16 PM

Hello Shawkat,

to have local username password fallback you should use

aaa authentication login default group tacacs+ local

Hope to help

Giuseppe

0 Helpful

shawkatalvi
Level 1
Level 1
In response to Giuseppe Larosa

‎05-03-2009 09:45 PM

Hi Giuseppe,

Thanks for your quick reply. If I use the following config:

aaa new-model

aaa authentication login REMOTE group tacacs+ local-case

aaa authentication login default group tacacs+ local

!

aaa authentication fail-message #

Local authentication failed.

#

aaa authentication password-prompt "Enter local password:"

aaa authentication username-prompt "Enter local username:"

!

user a secret b!

line con 0

login authentication REMOTE

line vty 0 4

login authentication REMOTE

Would I be able to access the router with privilege level 15 and if the TACACS+ server fails, it would allow me to authenticate locally?

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to shawkatalvi

‎05-03-2009 10:42 PM

Hello Shawkat,

you will be able to login with local account only when the TACACS+ is unreachable.

When TACACS+ is reachable you need to use an account defined on it.

see the list

aaa authentication login default group tacacs+ local

as an ordered list of methods where second method is used only if the first one doesn't get a timely answer.

if you perform lab tests you will see that as soon as the server is reachable again the local account cannot perform commands on the device.

Hope to help

Giuseppe

0 Helpful

shawkatalvi
Level 1
Level 1
In response to Giuseppe Larosa

‎05-06-2009 09:55 PM

Thanks Giustar for your feedback.

I used this config:

username admin privilege 15 secret xxxxxxxxxxxx

aaa new-model

aaa authentication login REMOTE group tacacs+ local-case

aaa authentication login default group tacacs+ local-case

!

line con 0

login authentication REMOTE

line vty 0 4

login authentication REMOTE

when TACACS+ was unreachable I could login into the router via console, but via line vty 0 4 it only let me in to the read only mode(privilege level 1). As soon as I typed "en" it said "error in authentciation". I expected Line vty would work the same way console 0 worked. Any ideas?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card