Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

AAA Authentication Question

Here is the config I have on a switch:

aaa authentication login default group tacacs+ local

aaa authentication login vtylogin group tacacs+ local

aaa authentication login conlogin group tacacs+ enable none

aaa authentication enable default tacacs+ enable

Now here are my issues:

1- When I login from console my login from Tacacs works, but when I type "enable" and try to use my Active Directory password it does not work.  Then I try the enable password, it does not work.  However if I change the 4th Line to "aaa authentication enable default enable", I can proceed using the enable password.

2- My second issue is when I SSH into the switch, I only want it to use the tacacs server and only use local database when the tacacs is not available.  However even when tacacs is available I am still able to log into it using the local user account.  I am assuming that is by design?  Is there a way to stop that if it is not by design?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: AAA Authentication Question

When you use the local user account to login to device, can you check if you can see the log in "passed authentication attemp" on ACS box? If yes, could you please check your ACS local user DB to see it the same account was created by a mistaken?

10 REPLIES

Re: AAA Authentication Question

1. in "User setup", check "Advanced TACACS+ Settings", there should be an option for where to check "enable" password.

2. System will use local database only if the configured TACACS+ server is not responding to authentication request. Run some debug to see if it is the case.

Re: AAA Authentication Question

Thank you for the reply, I will check on the first setting.  However for the seconnd part, system is using the local database but it is using it even if tacacs is available.  I do not want the system to be able to use the local database if tacacs is availble.  So basically I can login using the Active Directory account as well as the local database.

Purple

Re: AAA Authentication Question

It will only use local database if tacacs+ server is unavailable.

do a debug aaa authentication to be sure it isn't using tacacs+.

Don't forget to rate helpful posts.

Re: AAA Authentication Question

I know that but I do not want it to use the local database if tacacs is available.

Purple

Re: AAA Authentication Question

But it won't use you local database unless your tacacs+ server is unavailable so I really don't see the problem.

If the router uses your local database to authenticate then there is a communication problem with your tacacs+ server so he is using the next method listed in your command which is local database. As I said before do a debug aaa authentication and you will see the router is attempting to communicate with the tacacs+ server and only if it times out then is he going to use an alternative method if it is listed in method list.

Don't forget to rate helpful posts.

Re: AAA Authentication Question

Ok let me try to explain this agagin:

1- There is no communication problem as I can login using tacacs without any problems.  If I remove the "local" keyword from the line and only leave tacacs+ it works and even if I leave "local" after tacacs+ it still works.

2- However at the same time I can also use the local account to login.

3- I have looked at the debug and tacacs authentication works fine.

Re: AAA Authentication Question

When you use the local user account to login to device, can you check if you can see the log in "passed authentication attemp" on ACS box? If yes, could you please check your ACS local user DB to see it the same account was created by a mistaken?

Re: AAA Authentication Question

Thank you, that was the issue I still don't have access to the ACS yet since I'm new so I asked one of my co workers to check and yup local account was defined in the ACS, after disabling it, it works now.

New Member

Re: AAA Authentication Question

I facing same issue, i have dont have same user configured in TACACS as local user but still i am able to login through tacacs by user1 as well locally at te same time by user2.

what could be the issue. my ACS version is 4.2.

Re: AAA Authentication Question

Post your AAA and VTY settings if you can.

1008
Views
0
Helpful
10
Replies