Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Authentication Mode - Tacacs+ (fallback Mode)

We have our Ciscoworks server set to authenticate to our ACS server (Non-ACS and Tacacs+). In other words, authenticate to ACS but do not register modules to ACS (controlled on the server). We had some network issues where we could not ping the ACS servers. When that happened I noticed that the Authentication mode is now "Tacacs+ (fallback Mode). How can I get that out of that mode and back into authentication "Tacacs+"

12 REPLIES
Cisco Employee

Re: Authentication Mode - Tacacs+ (fallback Mode)

It should automatically go back to TACACS+ mode. However, if you don't see this happening, then you can restart Daemon Manager. The restart will cause the authentication servlet to reconnect to the TACACS+ server (if it is reachable).

Community Member

Re: Authentication Mode - Tacacs+ (fallback Mode)

Tried restarting daemon and it did not work. What else should I try?

Blue

Re: Authentication Mode - Tacacs+ (fallback Mode)

What happens if you try to toggle between the two options under DCR - Server - Security - AAA Mode Setup - TACACS+ (click on the Change button)?

1. Allow all CiscoWorks local users to fallback to the CiscoWorks Local login.

3. Allow no fallbacks to the CiscoWorks Local login.

Community Member

Re: Authentication Mode - Tacacs+ (fallback Mode)

I will try that.

Cisco Employee

Re: Authentication Mode - Tacacs+ (fallback Mode)

Who are you logging in as? If you're logging in as admin, and admin has no TACACS+ account, then you will be seen as logging in via fallback mode (if admin is allowed in your fallback list).

Community Member

Re: Authentication Mode - Tacacs+ (fallback Mode)

I am logging in as myself. My account is in ACS.

Cisco Employee

Re: Authentication Mode - Tacacs+ (fallback Mode)

Check the logs on ACS to see if LMS is making an authentication request. Make sure that you can telnet to TCP port 49 on the ACS server from the LMS server and get a successful connection.

Community Member

Re: Authentication Mode - Tacacs+ (fallback Mode)

I am logging into Ciscoworks using my Tacacs account, but it still showing fallback mode. To make sure that it is authenticating to ACS, I have changed my password in Ciscoworks, and when I try to log into CW, with the new password, I am denied access. When I use my Tacacs password, I am able to log into Ciscoworks.

Cisco Employee

Re: Authentication Mode - Tacacs+ (fallback Mode)

Is your user listed in the fallback user list for the TACACS+ login module?

Community Member

Re: Authentication Mode - Tacacs+ (fallback Mode)

Yes, I selected all users to fallback. I just put up another post, since we tried toggling between fallback and not fallback, and now we cannot log into ciscoworks via the GUI. We tried other accounts and we cannot connect.

Cisco Employee

Re: Authentication Mode - Tacacs+ (fallback Mode)

Something is not working between LMS and ACS. I strongly suspect either a communication problem, or a secret key mismatch. What, if anything, do you see in the ACS server logs?

If you are now locked out of LMS, you can run the NMSROOT/bin/ResetLoginModule.pl command to restore local authentication:

NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl

Community Member

Re: Authentication Mode - Tacacs+ (fallback Mode)

thanks jclarke!!

556
Views
0
Helpful
12
Replies
CreatePlease to create content