02-08-2008 09:28 AM - edited 03-10-2019 03:38 PM
Is it possible to configure switches to allow telnet when AAA servers are down? I can get into switches via console cable with both servers down since the switch will failover to the enable password. Is it possible to have telnet sessions failover as well? If for some reason both servers should go down I would like to still be able to telnet to devices using vty passwords.
02-08-2008 09:43 AM
What you want to do is allow AAA to use the local database of users if it can not contact the AAA server. For example:
aaa authentication login myco_tacacs group tacacs+ local
Here the local keyword is used as the second form of auth in case the first is unavailable. You will also need to create a local username. For example:
username ceclark secret LeTsGoRaNgErS
Make sure lab this out before putting it into production or you may/will lock yourself out!
HTH
02-08-2008 11:58 PM
Hi,
Yes it is possiable.
You can configure the following:
#conf t
#aaa new-model
#aaa authentication login default local
#aaa authorization exec default local
#username goutams privilege 15 secret 5 password
The above will allow you to login locally with the specified user name & password.
Suggesting you pls make a clear R&D before live it with production network.
Thanks
Goutam
Pls rate if it works.
02-10-2008 08:49 AM
Hi,
Everyone has already given lot of examples and all of them are correct. Make sure that TCP port 49 is open or no access list stops it in both the directions: switches to AAA server and vice versa.
--gaurav
02-11-2008 05:47 AM
David
I would like to offer a refinement of the suggestion from Colin which I think will fit your stated requirements a bit better. Colin suggested:
aaa authentication login myco_tacacs group tacacs+ local
and I would suggest:
aaa authentication login default group tacacs+ line
The suggestion from Colin specifies a named method of myco_tacacs and you would need to specify this under the vty lines
login authentication myco_tacacs
whereas if you make it the default then no additional configuration is required under the vty. And Colin's suggestion would require configuration of local IDs and passwords where you asked about using the line passwords.
Note that the suggestion from Goutam would force all authentication to use the local configured IDs and passwords and would not use your AAA servers at all.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide