cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1940
Views
5
Helpful
3
Replies

How to bypass centralized TACACS authentication & use local user DB for particular user alone in IOS/XR

narainarun
Level 1
Level 1

Hi All,

I have a requirement. The devices are configured for centralized TACACS server for AAA. For all users,  authentication, authorization and accounting is done by Cisco ISE. But for one particular user, we would like to make use of local username and password created in devices to authentication and authorize (require priv 15 access) and not be sent to ISE TACACS. What is the procedure of doing it? 

thanks in advance,

Arun

3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

Arun

I do not believe that there is a really good solution that achieves your requirement that for a single user authentication would be done using the local configured user ID and all others would authenticate via TACACS. There are a couple of possibilities that come close but each has some disadvantage in its implementation.

- depending on how many user IDs are configured you might just configure aaa authentication to use local as the first alternative and TACACS as the backup. In doing this any user who attempts to login and is not in the local config will then be sent to TACACS for authentication. But any user who is in the local config will authenticate with the local ID which is not following your requirement that only a single user will authenticate locally.

- if you could assure that this user would always connect on a particular vty you could configure that vty with a different aaa authentication which specifies local authentication while other vty would specify TACACS. The weakness here is how to be sure that the particular user gets that vty and how to prevent other users from getting that vty.

- I wonder if there is something that you could do with an EEM applet that could check user login requests and do something for that particular user to authenticate locally. But that would be complex to accomplish and I am not even sure that it would work.

HTH

Rick

HTH

Rick

Hi Rick,

Thanks for your reply. I think option 1 comes close but provides access to other locally configured users. 

thanks,
Arun

Arun

Yes it does. I do not believe that there is any solution that provides a clean effective way to achieve your requirement. I believe that the best you can do is something that comes close but will have some disadvantage.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco