Re: Aux Local login if tacacs+ fails

sanyaolu · ‎08-26-2003

My aux 0 is configured to use tacacs+ and i can't remember the command to make it default to local enable password for login if tacacs+ fails. Can someone help me with a sample configuration ?

deilert · ‎08-26-2003

aaa authentication login default tacacs+ enable

This says to use tacacs+ first then use the enable secret password if the connection to the tacacs server fails.

you can also use

aaa authentication login no_tacacs enable

line aux 0

login authentication no_tacacs

sanyaolu · ‎08-26-2003

I accually tried the two and it works fine when tacacs is available. But when it's unavailable am not able to get in

senerio below are the two i tried:

1.

aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication login virt-users tacacs+ enable

aaa authentication login uog-users tacacs+

aaa authentication login console enable

enable secret xxxxx

line aux 0

exec-timeout 60 0

======

2

include

aaa authentication login no_tacacs enable

line aux 0

login authentication no_tacacs

but could not go in

deilert · ‎08-26-2003

in the 2nd scenario you forgot to define the string no_tacacs

aaa authentication login no_tacacs enable

sanyaolu · ‎08-27-2003

i included it the string no_tacacs in the global config..... if you look at my note again i said "include" that is i included the line in global config. but could not login when tacacs fail.

deilert · ‎08-27-2003

I did not see it in the AAA commands this is where it should be

a.manosca · ‎08-26-2003

If the authentication with TACACS+ fails, authentication will not look into the next method (e.g. enable). I believe the router should see "ERROR" instead of "FAIL" for the authentication process to continue with the next method. Performing some debugs will help but don't do it if there many users connecting to this router.

Hope this helps.

alonzo-garza · ‎08-27-2003

Just curious but, why would the TACACS+ authentication fail in the first place?

~zo

deilert · ‎08-27-2003

reasons for TACACS failing ,

no route to TACACS server

TACACS server down

and by the way the command

aaa authentication login default tacacs+ enable

means that for authentication first use tacacs + if that fails then the last resort is the enable password. Does not matter if you get a fail or an error .

sanyaolu · ‎08-27-2003

This is the configuration i have

aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication login console enable

aaa authentication login no_tacacs enable

aaa authorization exec default tacacs+

aaa authorization network default tacacs+

aaa accounting exec default start-stop tacacs+

aaa accounting network default start-stop tacacs+

line aux 0

exec-timeout 60 0

login authentication no_tacacs

a.manosca · ‎08-27-2003

I really don't think so...

"To create a default list that is used if no list is specified in the login authentication command, use the default argument followed by the methods you want used in default situations.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication succeed even if all methods return an error, specify none as the final method in the command line."

From the following:

http://www.cisco.com/en/US/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007f032.html#xtocid238204

The debugs should show the cause why authentication fails. It will also show if the methods in the list are being used.