Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Telnet to switches when AAA server is down

Is it possible to configure switches to allow telnet when AAA servers are down? I can get into switches via console cable with both servers down since the switch will failover to the enable password. Is it possible to have telnet sessions failover as well? If for some reason both servers should go down I would like to still be able to telnet to devices using vty passwords.

4 REPLIES

Re: Telnet to switches when AAA server is down

What you want to do is allow AAA to use the local database of users if it can not contact the AAA server. For example:

aaa authentication login myco_tacacs group tacacs+ local

Here the local keyword is used as the second form of auth in case the first is unavailable. You will also need to create a local username. For example:

username ceclark secret LeTsGoRaNgErS

Make sure lab this out before putting it into production or you may/will lock yourself out!

HTH

Re: Telnet to switches when AAA server is down

Hi,

Yes it is possiable.

You can configure the following:

#conf t

#aaa new-model

#aaa authentication login default local

#aaa authorization exec default local

#username goutams privilege 15 secret 5 password

The above will allow you to login locally with the specified user name & password.

Suggesting you pls make a clear R&D before live it with production network.

Thanks

Goutam

Pls rate if it works.

New Member

Re: Telnet to switches when AAA server is down

Hi,

Everyone has already given lot of examples and all of them are correct. Make sure that TCP port 49 is open or no access list stops it in both the directions: switches to AAA server and vice versa.

--gaurav

Hall of Fame Super Gold

Re: Telnet to switches when AAA server is down

David

I would like to offer a refinement of the suggestion from Colin which I think will fit your stated requirements a bit better. Colin suggested:

aaa authentication login myco_tacacs group tacacs+ local

and I would suggest:

aaa authentication login default group tacacs+ line

The suggestion from Colin specifies a named method of myco_tacacs and you would need to specify this under the vty lines

login authentication myco_tacacs

whereas if you make it the default then no additional configuration is required under the vty. And Colin's suggestion would require configuration of local IDs and passwords where you asked about using the line passwords.

Note that the suggestion from Goutam would force all authentication to use the local configured IDs and passwords and would not use your AAA servers at all.

HTH

Rick

183
Views
0
Helpful
4
Replies
CreatePlease to create content