Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1167
Views
0
Helpful
2
Replies

Tacacs+ / secondary authentication method problem

ktokash
Level 1
Level 1

‎04-19-2004 03:49 PM - edited ‎03-10-2019 07:45 AM

I must be missing something here. I would like to have my routers use tacacs+ for authentication, and if all tacacs+ servers are unreachable have the admin able to get in with the enable password. I have the following aaa setup:

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login vtyauth group tacacs+ enable

aaa authentication enable default enable

aaa authorization exec default group tacacs+

tacacs-server host 1.1.1.1

tacacs-server host 2.2.2.2

tacacs-server key [key]

Under vty config:

login authentication vtyauth

The tacacs+ works fine, but if I take out the IPs of the two auth servers the routers/switches don't let anyone authenticate at all. The box is a 3550 running c3550-i5q3l2-mz.121-14.EA1a.

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎04-19-2004 06:27 PM

It's probably your authorization method, you haven't defined a backup for that so if TACACS is unavailable it'll fail.

Try the following:

aaa authorization exec default group tacacs+ none

to tell the router not to do authorization if TACACS is unavailable (you can't really do it locally), and see how you go.

0 Helpful

ktokash
Level 1
Level 1
In response to gfullage

‎04-20-2004 11:41 AM

Yes that did the trick. Thnx a bunch .

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents