I added login authentication default local for line con 0 and line vty 0 4 but when Tacacs fail I still am unable to access the routers using console and telnet.

Any suggestions?

Thanks...Joy

Personally, I think your config is a bit too complicated. If you're going to use authorization command sets, allow ACS to authenticate and authorize enable mode too.

Firstly, take out these lines:

aaa authentication enable default group tacacs+ enable

aaa authorization console

Secondly, change this line:

aaa authorization exec default group tacacs+ local

to

aaa authorization exec default group tacacs+ local if-authenticated

Here is a good sample:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

Your vty line config is correct, since you want the default authentication mechanism to be tacacs+ and if it fails, to use local. But if you were not authenticated by tacacs+ , you dont want the config to force tacacs+ authorization on you. You only need tacacs+ authorization if you were authenticated by tacacs.

Hope this helps. Let us know the outcome.

Regards - P

I wasn't the original poster, but I found your post doing a search for the same issue and your info was 'spot on', so I gave you a 5.

Cheers

Steve