Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

AAA Problem when WAN is offline

Hi All,

I have a problem at the moment logging into a router while the WAN is offline. TACACS+ works fine when the WAN is up but when its down i get prompted for a password which i enter and then get authorisation failed...

Here is the AAA config

aaa authentication login default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

Re: AAA Problem when WAN is offline

Specifying local as a backup method for authorization may get around this problem, but does it not require that local user IDs and passwords be configured? Since the authentication login did not use the local IDs as backup I wonder about the logic of doing this for authorization. I have had good success by configuring authorization like this:

aaa authorization exec default group tacacs+ if-authenticated

which will bypass authorization processing if TACACS is not available and if the user has successfully authenticated.

HTH

Rick

3 REPLIES

Re: AAA Problem when WAN is offline

Try adding 'local' to the end of line:

aaa authorization exec default group tacacs+ local

The 'local' refers to the local database for authorization.

Hall of Fame Super Gold

Re: AAA Problem when WAN is offline

Specifying local as a backup method for authorization may get around this problem, but does it not require that local user IDs and passwords be configured? Since the authentication login did not use the local IDs as backup I wonder about the logic of doing this for authorization. I have had good success by configuring authorization like this:

aaa authorization exec default group tacacs+ if-authenticated

which will bypass authorization processing if TACACS is not available and if the user has successfully authenticated.

HTH

Rick

Community Member

Re: AAA Problem when WAN is offline

Thanks for that Rick, Your logic is correct and it has fixed my problem. Much appreicated.

149
Views
0
Helpful
3
Replies
CreatePlease to create content