Here is the config I have on a switch:
aaa authentication login default group tacacs+ local
aaa authentication login vtylogin group tacacs+ local
aaa authentication login conlogin group tacacs+ enable none
aaa authentication enable default tacacs+ enable
Now here are my issues:
1- When I login from console my login from Tacacs works, but when I type "enable" and try to use my Active Directory password it does not work. Then I try the enable password, it does not work. However if I change the 4th Line to "aaa authentication enable default enable", I can proceed using the enable password.
2- My second issue is when I SSH into the switch, I only want it to use the tacacs server and only use local database when the tacacs is not available. However even when tacacs is available I am still able to log into it using the local user account. I am assuming that is by design? Is there a way to stop that if it is not by design?
Solved! Go to Solution.
1. in "User setup", check "Advanced TACACS+ Settings", there should be an option for where to check "enable" password.
2. System will use local database only if the configured TACACS+ server is not responding to authentication request. Run some debug to see if it is the case.
Thank you for the reply, I will check on the first setting. However for the seconnd part, system is using the local database but it is using it even if tacacs is available. I do not want the system to be able to use the local database if tacacs is availble. So basically I can login using the Active Directory account as well as the local database.
It will only use local database if tacacs+ server is unavailable.
do a debug aaa authentication to be sure it isn't using tacacs+.
But it won't use you local database unless your tacacs+ server is unavailable so I really don't see the problem.
If the router uses your local database to authenticate then there is a communication problem with your tacacs+ server so he is using the next method listed in your command which is local database. As I said before do a debug aaa authentication and you will see the router is attempting to communicate with the tacacs+ server and only if it times out then is he going to use an alternative method if it is listed in method list.
Ok let me try to explain this agagin:
1- There is no communication problem as I can login using tacacs without any problems. If I remove the "local" keyword from the line and only leave tacacs+ it works and even if I leave "local" after tacacs+ it still works.
2- However at the same time I can also use the local account to login.
3- I have looked at the debug and tacacs authentication works fine.
Thank you, that was the issue I still don't have access to the ACS yet since I'm new so I asked one of my co workers to check and yup local account was defined in the ACS, after disabling it, it works now.
I facing same issue, i have dont have same user configured in TACACS as local user but still i am able to login through tacacs by user1 as well locally at te same time by user2.
what could be the issue. my ACS version is 4.2.