Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2148
Views
0
Helpful
3
Replies

Can tacacs be configured as fallback to LOCAL in aaa

Go to solution
suryaprakash.m.r
Level 1
Level 1

‎10-16-2013 06:46 AM - edited ‎03-11-2019 07:52 PM

I would like to know if it is possible to configure LOCAL database as the primary login method when the user account is not available in the database it could try authenticating with the Tacacs? if so what is command.

This is required on PIX 6.3

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Patrick Moubarak
Level 4
Level 4

‎10-16-2013 07:27 PM

If the user is not found, authentication simply fails and doesn't fall back to the next method... fallback is for when the authentication method does not receive a reply from the server (usually for RADIUS/TACACS not responding then try LOCAL; not the other way around)

Patrick

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-16-2013 09:33 PM

Hello,

Just do add.

Here is the example:

pixfirewall(config)# aaa authentication ssh console LOCAL ?

configure mode commands/options:

 

When using the local database as the first option, no other option available

But when using any other database

pixfirewall(config)# aaa authentication ssh console RADIUS ?

configure mode commands/options:

  LOCAL  If all servers in the server group have been deactivated,

         authentication will be done against the local database

So I think that answers your question right?

Regards

Jcarvaja

follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Patrick Moubarak
Level 4
Level 4

‎10-16-2013 07:27 PM

If the user is not found, authentication simply fails and doesn't fall back to the next method... fallback is for when the authentication method does not receive a reply from the server (usually for RADIUS/TACACS not responding then try LOCAL; not the other way around)

Patrick

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-16-2013 09:33 PM

Hello,

Just do add.

Here is the example:

pixfirewall(config)# aaa authentication ssh console LOCAL ?

configure mode commands/options:

 

When using the local database as the first option, no other option available

But when using any other database

pixfirewall(config)# aaa authentication ssh console RADIUS ?

configure mode commands/options:

  LOCAL  If all servers in the server group have been deactivated,

         authentication will be done against the local database

So I think that answers your question right?

Regards

Jcarvaja

follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
suryaprakash.m.r
Level 1
Level 1

‎10-17-2013 05:03 AM

Thanks for the responses, i got it sorted for the internal.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card