Re: How to fallback to console login when TACACS server down?

bravob · ‎05-09-2007

Thanks to all, I appreciate your help!

I have a 4006 CatOS switch running 6.3, I can telnet and authenticate via TACACS servers, how do I make sure I'm able to serial console to the switch in the event IP connectivity to the TACACS servers is lost or the TACACS servers are down? This the AAA config:

#authentication

set authentication login tacacs enable telnet primary

set authentication login tacacs enable http primary

set authentication enable tacacs enable telnet primary

set authentication enable tacacs enable http primary

set authentication login attempt 5 console

!

#authorization

set authorization exec enable tacacs+ deny console

set authorization exec enable tacacs+ deny telnet

set authorization enable enable tacacs+ deny console

set authorization enable enable tacacs+ deny telnet

set authorization commands enable all tacacs+ deny console

set authorization commands enable all tacacs+ deny telnet

end

jhanna · ‎05-09-2007

If you enter the following lines in, Console access will be made to user local credentials.

set authentication login local enable console

Also create a local user to authenticate with.

set localuser user jsmith password j5m1th privilege 15

The account when you log in will be in enable mode instantly. If you dont want this, and would like the console user to enter an enable password, enter the localuser without privilege 15, and also set AAA to have a enable fall back also. Example below.

set localuser user jsmith password j5m1th

set authentication login local enable console

set authentication enable local enable console

I see you are using "Attempt 5 console", I would recommend you use lockout. This will allow a user to retry in 15 minutes.

set authentication login lockout 900

Kind Regards.