Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1967
Views
10
Helpful
3
Replies

Test local authentication when TACACS is active

Tom Ribbens
Level 1
Level 1

‎09-22-2014 05:55 AM - edited ‎03-10-2019 10:02 PM

Hi all,

 

we have a lot of devices here configured to authenticate using TACACS. This all works fine. The documentation covering these devices could be improved however. One thing I was thinking of putting in that documentation, is the passwords that are configured when TACACS is not available.

Is there a way to test the local login credentials, without altering anything on the TACACS configuration? 

 

Kind regards,

 

Tom

Labels:
0 Helpful
3 Replies 3

hdussa
Level 1
Level 1

‎10-13-2014 04:25 AM

Hi Tom,

 

i configure a NULL0 route on the Layer 3 device.

ip route w.x.y.z 255.255.255.255 Null0 (ip address of your TACACS)

 

Regards Horst

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-13-2014 06:33 AM

I have used a similar approach to Horst's suggestion except with an upstream ACL blocking access to the TACACS server(s). The device should try and fail to authenticate via TACACS and then fall back to local authentication.

If I recall correctly, it takes about 30 seconds per configured TACACS server to mark it failed so be patient.

nspasov
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎10-14-2014 10:30 PM

Both valid solutions to the question! I have always changed the aaa shared secret or other part of my config but I like what you guys are suggesting! 

0 Helpful
Customers Also Viewed These Support Documents