Tacacs+ / secondary authentication method problem

Unanswered Question
Apr 19th, 2004
User Badges:

I must be missing something here. I would like to have my routers use tacacs+ for authentication, and if all tacacs+ servers are unreachable have the admin able to get in with the enable password. I have the following aaa setup:

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login vtyauth group tacacs+ enable

aaa authentication enable default enable

aaa authorization exec default group tacacs+

tacacs-server host

tacacs-server host

tacacs-server key [key]

Under vty config:

login authentication vtyauth

The tacacs+ works fine, but if I take out the IPs of the two auth servers the routers/switches don't let anyone authenticate at all. The box is a 3550 running c3550-i5q3l2-mz.121-14.EA1a.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gfullage Mon, 04/19/2004 - 18:27
User Badges:
  • Cisco Employee,

It's probably your authorization method, you haven't defined a backup for that so if TACACS is unavailable it'll fail.

Try the following:

aaa authorization exec default group tacacs+ none

to tell the router not to do authorization if TACACS is unavailable (you can't really do it locally), and see how you go.

ktokash Tue, 04/20/2004 - 11:41
User Badges:

Yes that did the trick. Thnx a bunch .


This Discussion