Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Tacacs+ / secondary authentication method problem

I must be missing something here. I would like to have my routers use tacacs+ for authentication, and if all tacacs+ servers are unreachable have the admin able to get in with the enable password. I have the following aaa setup:

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login vtyauth group tacacs+ enable

aaa authentication enable default enable

aaa authorization exec default group tacacs+

tacacs-server host 1.1.1.1

tacacs-server host 2.2.2.2

tacacs-server key [key]

Under vty config:

login authentication vtyauth

The tacacs+ works fine, but if I take out the IPs of the two auth servers the routers/switches don't let anyone authenticate at all. The box is a 3550 running c3550-i5q3l2-mz.121-14.EA1a.

2 REPLIES
Cisco Employee

Re: Tacacs+ / secondary authentication method problem

It's probably your authorization method, you haven't defined a backup for that so if TACACS is unavailable it'll fail.

Try the following:

aaa authorization exec default group tacacs+ none

to tell the router not to do authorization if TACACS is unavailable (you can't really do it locally), and see how you go.

New Member

Re: Tacacs+ / secondary authentication method problem

Yes that did the trick. Thnx a bunch .

156
Views
0
Helpful
2
Replies
CreatePlease to create content