Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Local login when tacacs is up

I have my switch configured for tacas then local:

      aaa authentication login default group MYGROUP local

And that works fine -- I can log in via tacas, and when the servers are down, I can log in via a local account.

 

However, is it possible to use local if you fail tacacs authentication?  For example the servers are up, but rejecting all authentication?  I'd like it to check local credentials if it gets an access denied from tacacs.

 

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions

However, is it possible to

However, is it possible to use local if you fail tacacs authentication?

is not possible, as the server will send an Reject message with failed auth and the device will not fallback to next method in case of reject.

Now, there is still slight catch with Cisco Tacacs+ server, if you have one, I can show you that.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

Cisco Employee

Not possible unless the

Not possible unless the servers are down/unreachable. 

Ed, I am interested to know about the "catch" that you are talking about :) I have a TACACS+ server so pls share!

Thank you for rating helpful posts!
7 REPLIES

However, is it possible to

However, is it possible to use local if you fail tacacs authentication?

is not possible, as the server will send an Reject message with failed auth and the device will not fallback to next method in case of reject.

Now, there is still slight catch with Cisco Tacacs+ server, if you have one, I can show you that.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

Cisco Employee

Not possible unless the

Not possible unless the servers are down/unreachable. 

Ed, I am interested to know about the "catch" that you are talking about :) I have a TACACS+ server so pls share!

Thank you for rating helpful posts!

If you have an Cisco ACS 5.x,

If you have an Cisco ACS 5.x, if you find a way to push your requests to a particular access service, you can go to the service-->identity and there open up the advanced options.

In there, there is an option to drop the request when the authentication will fail, if you do this.

In case of the authentication failure, instead of a reject, ACS will drop he packet, therefore replicating a "server not responding" scenario.

Eventually, you will fallback to local at the switch side and this will get you what you want.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

New Member

Great advice, thanks all

Great advice, thanks all

Cisco Employee

Pretty cool. Thank you for

Pretty cool. Thank you for sharing! (+5 from me)

Thank you for rating helpful posts!

Awesome :)

Awesome :)

Cisco Employee

 

 

Suppose the system administrator has decided on a security solution where all interfaces will use the same authentication methods to authenticate PPP connections. In the RADIUS group, R1 is contacted first for authentication information, then if there is no response, R2 is contacted. If R2 does not respond, T1 in the TACACS+ group is contacted; if T1 does not respond, T2 is contacted. If all designated servers fail to respond, authentication falls to the local username database on the access server itself. To implement this solution, the system administrator would create a default method list by entering the following command:

 

aaa authentication ppp default group radius group tacacs+ local


 

 

In this example, "default" is the name of the method list. The protocols included in this method list are listed after the name, in the order they are to be queried. The default list is automatically applied to all interfaces.

 

When a remote user attempts to dial in to the network, the network access server first queries R1 for authentication information. If R1 authenticates the user, it issues a PASS response to the network access server and the user is allowed to access the network. If R1 returns a FAIL response, the user is denied access and the session is terminated. If R1 does not respond, then the network access server processes that as an ERROR and queries R2 for authentication information. This pattern would continue through the remaining designated methods until the user is either authenticated or rejected, or until the session is terminated.

 

It is important to remember that a FAIL response is significantly different from an ERROR. A FAIL means that the user has not met the criteria contained in the applicable authentication database to be successfully authenticated. Authentication ends w...

Suppose the system administrator wants to apply a method list only to a particular interface or set of interfaces. In this case, the system administrator creates a named method list and then applies this named list to the applicable interfaces. The following example shows how the system administrator can implement an authentication method that will be applied only to interface 3:

 

aaa authentication ppp default group radius group tacacs+ local

 

aaa authentication ppp apple group radius group tacacs+ local none

 

 interface async 3

 

 ppp authentication chap apple

 

 

In this example, "apple" is the name of the method list, and the protocols included in this method list are listed after the name in the order in which they are to be performed. After the method list has been created, it is applied to the appropriate interface. Note that the method list name (apple) in both the AAA and PPP authentication commands must match. http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathen.html

151
Views
10
Helpful
7
Replies
CreatePlease login to create content