Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

which config line lets me logon locally to router rather than through ACS?

aaa new-model

!

!

aaa group server radius cisco-acs

server-private 10.32.108.68 auth-port 1645 acct-port 1646 key u14c

server-private 10.32.0.9 auth-port 1812 acct-port 1813 key u14

ip radius source-interface BVI1

!

aaa authentication login default group cisco-acs local-case

aaa authentication login acs-login group cisco-acs local-case

aaa authentication login ssl-login group ssl-login

aaa authorization exec default group cisco-acs local

aaa accounting exec default start-stop group cisco-acs

username root privilege 15 secret 5 ccccccccccccc

username support secret 5 hhhhhhhhhhhhhhhhhhh

I am having problem login to router using acs database and am not sure if it is configured to logon locally if acs AUTHENTICATION FAILS .I am not able to logon locally a using root username

3 REPLIES

Re: which config line lets me logon locally to router rather tha

aaa authentication login default group cisco-acs local-case

The username will be case sensitive. What is defined under your VTY's?

Re: which config line lets me logon locally to router rather tha

The router might not allow you to authenticate via local, if the TACACS server is reachable.

Try disconnecting the interface on this router connecting to TACACS (if possible) or somehow make the TACACS IP unreachable for this router using an ACL.

Hall of Fame Super Gold

Re: which config line lets me logon locally to router rather tha

ccde (whoever you are)

Your configuration has 3 method lists for login authentication:

aaa authentication login default group cisco-acs local-case

aaa authentication login acs-login group cisco-acs local-case

aaa authentication login ssl-login group ssl-login

Without knowing how your console and aux and vty lines are configured and knowing how you are attempting access, we can not tell which of these lines is the one controlling your authentication.

And dhananjoy is quite correct that in the first two methods you will not attempt local login unless the authentication server does not respond to the authentication request.

So can you provide additional details from the configuration (at a minimum the config of console, aux, and vty - and more of the config might be better) and of how you are attempting to access the router?

HTH

Rick

326
Views
0
Helpful
3
Replies
CreatePlease to create content