cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
645
Views
0
Helpful
4
Replies

AAA confusion - local username access

geotech333
Level 1
Level 1

Hey all,

I am a little confused.

I have the following commands on my device:

username blah privilege 15 secret 5 blah!@#$%%

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default stop-only group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

Everything works fine.

However when I bring down the TACACS server I am able to login into the device with the local username but it fails when I enter the enable command. How can I have access when in case of emergency that TACACS fails? I have researched online and have tried multiple commands. Is there anything I am missing? I do have an enable secret password configured as well. But don't even get a chance to enter. when entering "en" at > prompt:

% Authentication failed.

Thanks in advance for your help.

My testing has led to frustration.

:)

1 Accepted Solution

Accepted Solutions

Jagdeep Gambhir
Level 10
Level 10

Hi Geo,

First please give the fall back method for command 0.

aaa authorization commands 0 default group tacacs+

add local

aaa authorization commands 0 default group tacacs+ local

Make sure you are putting in right enable password, try to reset it and give it a shot.

If issue is there then get the output of debug tacacs and debug aaa authentication

Regards,

~JG

Do rate helpful posts

View solution in original post

4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

Hi Geo,

First please give the fall back method for command 0.

aaa authorization commands 0 default group tacacs+

add local

aaa authorization commands 0 default group tacacs+ local

Make sure you are putting in right enable password, try to reset it and give it a shot.

If issue is there then get the output of debug tacacs and debug aaa authentication

Regards,

~JG

Do rate helpful posts

Thanks JG.

I completely overlooked that.

Thanks for pointing out.

I will give it a try and post results!

Also please make sure that in ACS , enable privilege for that user is set to 15.

Let me know how that goes.

Regards,

~JG

Do rate heplful posts

That did the trick!

:)

Thanks for your help.

All is working as it should be.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: