cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1120
Views
0
Helpful
12
Replies

Authentication Mode - Tacacs+ (fallback Mode)

didentx01
Level 1
Level 1

We have our Ciscoworks server set to authenticate to our ACS server (Non-ACS and Tacacs+). In other words, authenticate to ACS but do not register modules to ACS (controlled on the server). We had some network issues where we could not ping the ACS servers. When that happened I noticed that the Authentication mode is now "Tacacs+ (fallback Mode). How can I get that out of that mode and back into authentication "Tacacs+"

12 Replies 12

Joe Clarke
Cisco Employee
Cisco Employee

It should automatically go back to TACACS+ mode. However, if you don't see this happening, then you can restart Daemon Manager. The restart will cause the authentication servlet to reconnect to the TACACS+ server (if it is reachable).

Tried restarting daemon and it did not work. What else should I try?

What happens if you try to toggle between the two options under DCR - Server - Security - AAA Mode Setup - TACACS+ (click on the Change button)?

1. Allow all CiscoWorks local users to fallback to the CiscoWorks Local login.

3. Allow no fallbacks to the CiscoWorks Local login.

I will try that.

Who are you logging in as? If you're logging in as admin, and admin has no TACACS+ account, then you will be seen as logging in via fallback mode (if admin is allowed in your fallback list).

I am logging in as myself. My account is in ACS.

Check the logs on ACS to see if LMS is making an authentication request. Make sure that you can telnet to TCP port 49 on the ACS server from the LMS server and get a successful connection.

I am logging into Ciscoworks using my Tacacs account, but it still showing fallback mode. To make sure that it is authenticating to ACS, I have changed my password in Ciscoworks, and when I try to log into CW, with the new password, I am denied access. When I use my Tacacs password, I am able to log into Ciscoworks.

Is your user listed in the fallback user list for the TACACS+ login module?

Yes, I selected all users to fallback. I just put up another post, since we tried toggling between fallback and not fallback, and now we cannot log into ciscoworks via the GUI. We tried other accounts and we cannot connect.

Something is not working between LMS and ACS. I strongly suspect either a communication problem, or a secret key mismatch. What, if anything, do you see in the ACS server logs?

If you are now locked out of LMS, you can run the NMSROOT/bin/ResetLoginModule.pl command to restore local authentication:

NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl

thanks jclarke!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco