The basic Summary is that I want to have TACACS+ and local login to the router over the vty lines. So I made the two groups below. Goody obviously is what is going to use TACACS and Console uses the local logins. I split them between 0-4 and 5-15. It seems that whichever one is higher get the first priority for authentication. If I move Console to 0-4, then local users work and TACACS do not. If I have Goody at 0 4, then TACACS works, but local does not. I know I'm probably missing something simple. Having two TACACS servers, I doubt both will ever be down, but in the event I would like Local usernames to work. If I apply an access list to 0 4 and use SSH, and a different access list to 5 15 and use telnet it seems to work that way but doesn't help me if the internet goes down and I am onsite trying to access the router via SSH.
Thanks in advance.
aaa authentication login Goody group tacacs+ local aaa authentication login Console local
line con 0 login authentication Console line aux 0 line vty 0 4 session-timeout 7 exec-timeout 5 0 login authentication Goody transport input ssh line vty 5 15 session-timeout 7 exec-timeout 5 0 login authentication Console transport input ssh
That answers one of my questions, but now I have another. My ISP wants to have SSH into the router so that they can maintain their IP SLA agreement. They have a local user account on each of my routers that they use for SSH access. Is there a way to have the router look at both TACACS and if its not there then the local user database?
edit- ok. I just found out that if I change the order to
aaa authentication login Goody local group tacacs+
that it will look in the local database first. If the user is not there, it will query the tacacs+ servers.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :