I have router that using ACS for its authentication login via telnet (VTY). I put the local as the second method. But whenever the ACS is offline, i can login into the router using any word i type in the username prompt. This is my configuration:
aaa authentication login CMD-LOGIN group tacacs+ local none
I believe that the authentication is doing exactly what you have asked it to do. But there is an aspect of local authentication in aaa that is not well understood (I did not understand it for a long time and believe that others do not either). With aaa when we configure local authentication it will prompt for a user name and if one is entered it will check against the locally configured names and passwords. But if the name entered is not found in the config then aaa treats it as a failure of the method and if another method is configured it will use it. Which is what is happening as you describe it. I believe that most of us believe that if the name is not found it would count as a failed attempt and we should be denied access. But it does not count as a failed attempt but as a failed method. You can test this out if you wish: turn on dubug aaa authentication. Then try to login to the router as cisco321 (the configured name) but with a different password. I believe that you will see your attempt refused. Then attempt to login to the router using some different name. I believe that you will see aaa attempt local authentication and then go on to line authentication.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...