Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to fallback to console login when TACACS server down?

Thanks to all, I appreciate your help!

I have a 4006 CatOS switch running 6.3, I can telnet and authenticate via TACACS servers, how do I make sure I'm able to serial console to the switch in the event IP connectivity to the TACACS servers is lost or the TACACS servers are down? This the AAA config:

#authentication

set authentication login tacacs enable telnet primary

set authentication login tacacs enable http primary

set authentication enable tacacs enable telnet primary

set authentication enable tacacs enable http primary

set authentication login attempt 5 console

!

#authorization

set authorization exec enable tacacs+ deny console

set authorization exec enable tacacs+ deny telnet

set authorization enable enable tacacs+ deny console

set authorization enable enable tacacs+ deny telnet

set authorization commands enable all tacacs+ deny console

set authorization commands enable all tacacs+ deny telnet

end

2 REPLIES
Bronze

Re: How to fallback to console login when TACACS server down?

Hi,

I think you are looking for this configuration:

Make sure there is a back door into the switch if the server is down by issuing the set authentication login local enable command.

Enable TACACS+ authentication by issuing the set authentication login tacacs enable command.

Define the server by issuing the set tacacs server #.#.#.# command.

Define the server key (optional with TACACS+, as it causes switch-to-server data to be encrypted. If used, it must agree with the server.) by issuing the set tacacs key your_key command.

HTH, rate if it does.

Regards,

Bjornarsb

Cisco Employee

Re: How to fallback to console login when TACACS server down?

You have to add the following command for login fall back on the switch

set authentication login local enable all

This will enable the local fallback for HTTP,Telnet and console.

You also have to enable the local fallback for enable mode as well.If you dont do it then you will not be able to go into the enable mode.Do the following:

set authentication enable local enable all

Please make sure that you also enable local authorization fall back also on the switch.

Please use the link below for more info:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/rel6_3/config/authent.htm#1020224

HTH,Please rate if it does.

-amit singh

494
Views
0
Helpful
2
Replies