Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Aux Local login if tacacs+ fails

My aux 0 is configured to use tacacs+ and i can't remember the command to make it default to local enable password for login if tacacs+ fails. Can someone help me with a sample configuration ?

  • Other Network Infrastructure Subjects
10 REPLIES
Silver

Re: Aux Local login if tacacs+ fails

aaa authentication login default tacacs+ enable

This says to use tacacs+ first then use the enable secret password if the connection to the tacacs server fails.

you can also use

aaa authentication login no_tacacs enable

line aux 0

login authentication no_tacacs

New Member

Re: Aux Local login if tacacs+ fails

I accually tried the two and it works fine when tacacs is available. But when it's unavailable am not able to get in

senerio below are the two i tried:

1.

aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication login virt-users tacacs+ enable

aaa authentication login uog-users tacacs+

aaa authentication login console enable

enable secret xxxxx

line aux 0

exec-timeout 60 0

======

2

include

aaa authentication login no_tacacs enable

line aux 0

login authentication no_tacacs

but could not go in

Silver

Re: Aux Local login if tacacs+ fails

in the 2nd scenario you forgot to define the string no_tacacs

aaa authentication login no_tacacs enable

New Member

Re: Aux Local login if tacacs+ fails

i included it the string no_tacacs in the global config..... if you look at my note again i said "include" that is i included the line in global config. but could not login when tacacs fail.

Silver

Re: Aux Local login if tacacs+ fails

I did not see it in the AAA commands this is where it should be

Bronze

Re: Aux Local login if tacacs+ fails

If the authentication with TACACS+ fails, authentication will not look into the next method (e.g. enable). I believe the router should see "ERROR" instead of "FAIL" for the authentication process to continue with the next method. Performing some debugs will help but don't do it if there many users connecting to this router.

Hope this helps.

New Member

Re: Aux Local login if tacacs+ fails

Just curious but, why would the TACACS+ authentication fail in the first place?

~zo

Silver

Re: Aux Local login if tacacs+ fails

reasons for TACACS failing ,

no route to TACACS server

TACACS server down

and by the way the command

aaa authentication login default tacacs+ enable

means that for authentication first use tacacs + if that fails then the last resort is the enable password. Does not matter if you get a fail or an error .

New Member

Re: Aux Local login if tacacs+ fails

This is the configuration i have

aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication login console enable

aaa authentication login no_tacacs enable

aaa authorization exec default tacacs+

aaa authorization network default tacacs+

aaa accounting exec default start-stop tacacs+

aaa accounting network default start-stop tacacs+

line aux 0

exec-timeout 60 0

login authentication no_tacacs

288
Views
0
Helpful
10
Replies
This widget could not be displayed.