05-03-2009 08:20 PM - edited 03-04-2019 04:37 AM
Hi Guys,
I have config for AAA:
enable secret 5 $ $xxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxx
!
username admin password 7 xxxxxxxxxxxxxx
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication login console line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 15 default stop-only group tacacs+
!
aaa session-id common
line con 0
privilege level 15
password 7 xxxxxxxxxxxxxxxxxxxxxx
login authentication console
line vty 0 4
exec-timeout 120 0
password 7 xxxxxxxxxxxxxxxxxxxxxxxx
Problem is when the Router looses its connection to TACACS+ server, it can't authenticate user with the local authentication. For backup I would like to get authenticated into the router should the TACACS+ server is unreachable.
Thanks.
05-03-2009 09:16 PM
Hello Shawkat,
to have local username password fallback you should use
aaa authentication login default group tacacs+ local
Hope to help
Giuseppe
05-03-2009 09:45 PM
Hi Giuseppe,
Thanks for your quick reply. If I use the following config:
aaa new-model
aaa authentication login REMOTE group tacacs+ local-case
aaa authentication login default group tacacs+ local
!
aaa authentication fail-message #
Local authentication failed.
#
aaa authentication password-prompt "Enter local password:"
aaa authentication username-prompt "Enter local username:"
!
user a secret b!
line con 0
login authentication REMOTE
line vty 0 4
login authentication REMOTE
Would I be able to access the router with privilege level 15 and if the TACACS+ server fails, it would allow me to authenticate locally?
05-03-2009 10:42 PM
Hello Shawkat,
you will be able to login with local account only when the TACACS+ is unreachable.
When TACACS+ is reachable you need to use an account defined on it.
see the list
aaa authentication login default group tacacs+ local
as an ordered list of methods where second method is used only if the first one doesn't get a timely answer.
if you perform lab tests you will see that as soon as the server is reachable again the local account cannot perform commands on the device.
Hope to help
Giuseppe
05-06-2009 09:55 PM
Thanks Giustar for your feedback.
I used this config:
username admin privilege 15 secret xxxxxxxxxxxx
aaa new-model
aaa authentication login REMOTE group tacacs+ local-case
aaa authentication login default group tacacs+ local-case
!
line con 0
login authentication REMOTE
line vty 0 4
login authentication REMOTE
when TACACS+ was unreachable I could login into the router via console, but via line vty 0 4 it only let me in to the read only mode(privilege level 1). As soon as I typed "en" it said "error in authentciation". I expected Line vty would work the same way console 0 worked. Any ideas?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: