Tacacs+ / secondary authentication method problem

Unanswered Question
Apr 19th, 2004
User Badges:

I must be missing something here. I would like to have my routers use tacacs+ for authentication, and if all tacacs+ servers are unreachable have the admin able to get in with the enable password. I have the following aaa setup:


aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login vtyauth group tacacs+ enable

aaa authentication enable default enable

aaa authorization exec default group tacacs+

tacacs-server host 1.1.1.1

tacacs-server host 2.2.2.2

tacacs-server key [key]


Under vty config:

login authentication vtyauth


The tacacs+ works fine, but if I take out the IPs of the two auth servers the routers/switches don't let anyone authenticate at all. The box is a 3550 running c3550-i5q3l2-mz.121-14.EA1a.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Mon, 04/19/2004 - 18:27
User Badges:
  • Cisco Employee,

It's probably your authorization method, you haven't defined a backup for that so if TACACS is unavailable it'll fail.


Try the following:


aaa authorization exec default group tacacs+ none


to tell the router not to do authorization if TACACS is unavailable (you can't really do it locally), and see how you go.

ktokash Tue, 04/20/2004 - 11:41
User Badges:

Yes that did the trick. Thnx a bunch .

Actions

This Discussion