07-23-2009 05:38 PM - edited 03-06-2019 06:55 AM
can somebody point me to a config guide for setting up tacacs authentication with failover to local login if tacs fails???
thanks...
bruce
07-23-2009 06:11 PM
Hi Bruce,
The config may be similar to the following:
aaa new-model
aaa authentication login default group tacacs+ local
tacacs-server host 10.10.10.10
tacacs-server key YYYYYYYYY
username TESTUSER privilege x password ZZZZZZZZZ
This implements the failover scenario you requested.
If the communication with the tacacs-server fails then the local user database will be used for authentication.
The "aaa authentication login default group tacacs+ local" command has the effect on all lines by default, including the console line.
If you want to implement this on select lines only then you have to create a named authentication method:
aaa authentication login TEST group tacacs+ local
line vty 0 4
login authentication TEST
In this case the authentication method will have effect on the vty lines 0 to 4 only.
Cheers:
Istvan
07-24-2009 03:04 AM
Thanks Istvan
appreciate the information...I was hoping to read a bit about the configuration...I'll test this config you provided in my test bed...
thanksagain.
07-24-2009 03:14 AM
Basic TACACS+ Configuration Example
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080093c7c.shtml
Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: