I have just setup our VPN concentrator so that administrators can login and manage it using their domain accounts through our ACS server, versus the local username and password. However, it doesnt appear that if TACACS becomes unavailable, that it fails back to the local admin. Am I missing something?
No, you are not missing anything. My understanding is, that is the default behavior the VPN3000 when you configure TACACS for Admin Access. If the AAA server is unavailable, there is no fallback mechanism to local.
** Snip **
Caution Misconfiguration of TACACS+ can lock an administrator out of the Concentrator HTML interface. If that happens, you can access the Concentrator by logging in through the console port, using your administrator username and password.
I think that it is unfortunate that there is not in the concentrator software the kind of fall back that we are used to having with IOS based (or CatOS based) devices. It probably represents having been developed originally outside of Cisco.
While my customer uses TACACS to authenticate network administrators for almost all network devices for which it is supported, we decided to not use TACACS on the concentrator and the lack of fall back was one of the main factors in the decision.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...