What do I need to modify or add to the following so the locally defined userid gui_id can succeed when logging into this router at all times even if communication with the TACACS+ server is up. (gui_id does not exist in the TACACS+ server). Order of authentication for other defined user ids and the default group should stay the same. Also, if possible, can the user gui_id be automatically enabled when authenticated and how:
Unfortunately, it doesn't quite work that way. When a method list is used (in your case, the default method list), then it will user the first method in that list. For your config, the attempt will authenticate against the TACACS+ server. If the TACACS+ server is responsive and actually responds with a reject message, the authentication will not fall back to local and fail the user. This is intended behavior. Only when the TACACS+ server is unresponsive or not sending back valid responses will authentication ever fall back to local.
If the local database was being used due to fallback and you wanted to automatically be placed in enable mode, you need to add "local" to your authorization exec so that shell exec privilege is passed:
aaa authorization exec default group tacacs+ local if-authenticated
Is there a specific need to have your local user gui_id to be able to authenticate at all times? For best practices, your users should all authenticate to tacacs. Only if tacacs goes down should you need to use the local database as a backdoor in this failure scenario.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :