Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AAA & local login

Hi,

I've got a curious problem.

If I use the following line in my configs:

aaa authentication login default group tacacs+ local

and a locally configured usernam/password as follows:

username test password abc123

the ACS server will authenticate the login request ok every time. but if you try and log-in with the local username it fails. If you disconnect the ACS server then the local username and password will work.

Presumably the ACS server sees that there is no username that matches this local one and fails the attempt.

Is there a way to make it return to the router and make it use the local username?

Thanks for you help.

Ray

1 ACCEPTED SOLUTION

Accepted Solutions

Re: AAA & local login

Ray,

Actually it is by design. The router will fall back only in the case when there is no response from acs server.

If acs cannot locate any user, it will say "user not found" to router , so router will not check its database.

If there is no reply from acs ,router will get "error" as a return value, so it will then check its local database for that user.

Hope that helps !

Regards,

~JG

Do rate helpful posts

4 REPLIES
Silver

Re: AAA & local login

local account "test" is the fall-back method in

case the ACS become un-available.

CCIE Security.

Re: AAA & local login

Ray,

Actually it is by design. The router will fall back only in the case when there is no response from acs server.

If acs cannot locate any user, it will say "user not found" to router , so router will not check its database.

If there is no reply from acs ,router will get "error" as a return value, so it will then check its local database for that user.

Hope that helps !

Regards,

~JG

Do rate helpful posts

Gold

Re: AAA & local login

Just quick addition

Router asks first tacacs (ACS) if doesnt reply in specified time (there is some default value - can be changed with command tacacs-server timeout) than continue to second tacacs (ACS)(if second is configured)if no response in timeout router goes to local authentication

M.

Hope that helps rate if it does

Re: AAA & local login

May be i am replying this too late, but there is a way to get both working, given if nothing has been changed in the code, which i have seen lately in few cases.

Issue command,

aaa authentication login default local group tacacs+

The above command will let both local and tacacs accounts to work. But ensure that local and tacacs accounts does not have same username.

Login behind this is,

first router will look up its local database, if a user is not found then router returns the code "ERROR". And "ERROR" is the code responsible for aaa statement to look for the next method available i.e. tacacs as per the command.

But other way around is not correct. That is, if you have command,

aaa authentication login default group tacacs+ local

Then if the account does not exist on the tacacs server, then tacacs server returns an error code "FAIL" not "ERROR", so it never looks local database on Router.

But when Tacacs server is not available, the router times out and generates error code "ERROR", which lets router checks its local database.

Regards,

Prem

486
Views
0
Helpful
4
Replies