tacacs+ local logins

Unanswered Question
Jul 23rd, 2009

can somebody point me to a config guide for setting up tacacs authentication with failover to local login if tacs fails???

thanks...

bruce

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Istvan_Rabai Thu, 07/23/2009 - 18:11

Hi Bruce,

The config may be similar to the following:

aaa new-model

aaa authentication login default group tacacs+ local

tacacs-server host 10.10.10.10

tacacs-server key YYYYYYYYY

username TESTUSER privilege x password ZZZZZZZZZ

This implements the failover scenario you requested.

If the communication with the tacacs-server fails then the local user database will be used for authentication.

The "aaa authentication login default group tacacs+ local" command has the effect on all lines by default, including the console line.

If you want to implement this on select lines only then you have to create a named authentication method:

aaa authentication login TEST group tacacs+ local

line vty 0 4

login authentication TEST

In this case the authentication method will have effect on the vty lines 0 to 4 only.

Cheers:

Istvan

Bruce Summers Fri, 07/24/2009 - 03:04

Thanks Istvan

appreciate the information...I was hoping to read a bit about the configuration...I'll test this config you provided in my test bed...

thanksagain.

Actions

This Discussion