Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
4
Replies

Telnet to switches when AAA server is down

finidchevys
Level 1
Level 1

‎02-08-2008 09:28 AM - edited ‎03-10-2019 03:38 PM

Is it possible to configure switches to allow telnet when AAA servers are down? I can get into switches via console cable with both servers down since the switch will failover to the enable password. Is it possible to have telnet sessions failover as well? If for some reason both servers should go down I would like to still be able to telnet to devices using vty passwords.

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎02-08-2008 09:43 AM

What you want to do is allow AAA to use the local database of users if it can not contact the AAA server. For example:

aaa authentication login myco_tacacs group tacacs+ local

Here the local keyword is used as the second form of auth in case the first is unavailable. You will also need to create a local username. For example:

username ceclark secret LeTsGoRaNgErS

Make sure lab this out before putting it into production or you may/will lock yourself out!

HTH

0 Helpful

Goutam Sanyal
Level 4
Level 4

‎02-08-2008 11:58 PM

Hi,

Yes it is possiable.

You can configure the following:

#conf t

#aaa new-model

#aaa authentication login default local

#aaa authorization exec default local

#username goutams privilege 15 secret 5 password

The above will allow you to login locally with the specified user name & password.

Suggesting you pls make a clear R&D before live it with production network.

Thanks

Goutam

Pls rate if it works.

0 Helpful

gauravshar
Level 2
Level 2
In response to Goutam Sanyal

‎02-10-2008 08:49 AM

Hi,

Everyone has already given lot of examples and all of them are correct. Make sure that TCP port 49 is open or no access list stops it in both the directions: switches to AAA server and vice versa.

--gaurav

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to gauravshar

‎02-11-2008 05:47 AM

David

I would like to offer a refinement of the suggestion from Colin which I think will fit your stated requirements a bit better. Colin suggested:

aaa authentication login myco_tacacs group tacacs+ local

and I would suggest:

aaa authentication login default group tacacs+ line

The suggestion from Colin specifies a named method of myco_tacacs and you would need to specify this under the vty lines

login authentication myco_tacacs

whereas if you make it the default then no additional configuration is required under the vty. And Colin's suggestion would require configuration of local IDs and passwords where you asked about using the line passwords.

Note that the suggestion from Goutam would force all authentication to use the local configured IDs and passwords and would not use your AAA servers at all.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents