04-19-2004 03:49 PM - edited 03-10-2019 07:45 AM
I must be missing something here. I would like to have my routers use tacacs+ for authentication, and if all tacacs+ servers are unreachable have the admin able to get in with the enable password. I have the following aaa setup:
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication login vtyauth group tacacs+ enable
aaa authentication enable default enable
aaa authorization exec default group tacacs+
tacacs-server host 1.1.1.1
tacacs-server host 2.2.2.2
tacacs-server key [key]
Under vty config:
login authentication vtyauth
The tacacs+ works fine, but if I take out the IPs of the two auth servers the routers/switches don't let anyone authenticate at all. The box is a 3550 running c3550-i5q3l2-mz.121-14.EA1a.
04-19-2004 06:27 PM
It's probably your authorization method, you haven't defined a backup for that so if TACACS is unavailable it'll fail.
Try the following:
aaa authorization exec default group tacacs+ none
to tell the router not to do authorization if TACACS is unavailable (you can't really do it locally), and see how you go.
04-20-2004 11:41 AM
Yes that did the trick. Thnx a bunch
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: