cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5475
Views
20
Helpful
7
Replies

Local login when tacacs is up

billmatthews
Level 1
Level 1

I have my switch configured for tacas then local:

      aaa authentication login default group MYGROUP local

And that works fine -- I can log in via tacas, and when the servers are down, I can log in via a local account.

 

However, is it possible to use local if you fail tacacs authentication?  For example the servers are up, but rejecting all authentication?  I'd like it to check local credentials if it gets an access denied from tacacs.

 

Thanks

2 Accepted Solutions

Accepted Solutions

edwardcollins7
Level 1
Level 1

However, is it possible to use local if you fail tacacs authentication?

is not possible, as the server will send an Reject message with failed auth and the device will not fallback to next method in case of reject.

Now, there is still slight catch with Cisco Tacacs+ server, if you have one, I can show you that.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

View solution in original post

Not possible unless the servers are down/unreachable. 

Ed, I am interested to know about the "catch" that you are talking about :) I have a TACACS+ server so pls share!

View solution in original post

7 Replies 7

edwardcollins7
Level 1
Level 1

However, is it possible to use local if you fail tacacs authentication?

is not possible, as the server will send an Reject message with failed auth and the device will not fallback to next method in case of reject.

Now, there is still slight catch with Cisco Tacacs+ server, if you have one, I can show you that.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

Not possible unless the servers are down/unreachable. 

Ed, I am interested to know about the "catch" that you are talking about :) I have a TACACS+ server so pls share!

If you have an Cisco ACS 5.x, if you find a way to push your requests to a particular access service, you can go to the service-->identity and there open up the advanced options.

In there, there is an option to drop the request when the authentication will fail, if you do this.

In case of the authentication failure, instead of a reject, ACS will drop he packet, therefore replicating a "server not responding" scenario.

Eventually, you will fallback to local at the switch side and this will get you what you want.

Rate if Useful :)

Sharing knowledge makes you Immortal.

Regards,

Ed

Great advice, thanks all

Pretty cool. Thank you for sharing! (+5 from me)

Awesome :)

mohanak
Cisco Employee
Cisco Employee

 

Suppose the system administrator has decided on a security solution where all interfaces will use the same authentication methods to authenticate PPP connections. In the RADIUS group, R1 is contacted first for authentication information, then if there is no response, R2 is contacted. If R2 does not respond, T1 in the TACACS+ group is contacted; if T1 does not respond, T2 is contacted. If all designated servers fail to respond, authentication falls to the local username database on the access server itself. To implement this solution, the system administrator would create a default method list by entering the following command:

 

aaa authentication ppp default group radius group tacacs+ local


 

 

In this example, "default" is the name of the method list. The protocols included in this method list are listed after the name, in the order they are to be queried. The default list is automatically applied to all interfaces.

 

When a remote user attempts to dial in to the network, the network access server first queries R1 for authentication information. If R1 authenticates the user, it issues a PASS response to the network access server and the user is allowed to access the network. If R1 returns a FAIL response, the user is denied access and the session is terminated. If R1 does not respond, then the network access server processes that as an ERROR and queries R2 for authentication information. This pattern would continue through the remaining designated methods until the user is either authenticated or rejected, or until the session is terminated.

 

It is important to remember that a FAIL response is significantly different from an ERROR. A FAIL means that the user has not met the criteria contained in the applicable authentication database to be successfully authenticated. Authentication ends w...

Suppose the system administrator wants to apply a method list only to a particular interface or set of interfaces. In this case, the system administrator creates a named method list and then applies this named list to the applicable interfaces. The following example shows how the system administrator can implement an authentication method that will be applied only to interface 3:

 

aaa authentication ppp default group radius group tacacs+ local

 

aaa authentication ppp apple group radius group tacacs+ local none

 

 interface async 3

 

 ppp authentication chap apple

 

 

In this example, "apple" is the name of the method list, and the protocols included in this method list are listed after the name in the order in which they are to be performed. After the method list has been created, it is applied to the appropriate interface. Note that the method list name (apple) in both the AAA and PPP authentication commands must match. http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathen.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: