Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Configuring AAA with backup line and enable

I have AAA pointing to ACS 3.1 and works fine. In case it's ever down, I want to use the line and enable passwords as a backup. I think I have it working properly but if someone else is using this method, can you confirm I have this right:

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

The authorization with "if-authenticated" is the only way I can figure out how to allow exec privleges if I have to use the line and enable passwords. Otherwise it gives me an authorization failed error after trying to authenticate.

2 REPLIES
Cisco Employee

Re: Configuring AAA with backup line and enable

This looks fine. Instead of "if-authenticated" you could use "none" so that there'll be no authorization done if the TACACS server is not available, either one will work for you.

Community Member

Re: Configuring AAA with backup line and enable

That will work. Thanks for the response.

206
Views
0
Helpful
2
Replies
CreatePlease to create content