Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

tacacs preferred over local login, but not able to connect using local and tacacs credentials

Hi,

I have applied tacacs access in the WLC and gave tacacs higher priority than local login. Something happened wrong and the box kicked me out. Now even the local login id and pwd is not working even when no communication taking place between WLC and tacacs

Sent from Cisco Technical Support iPhone App

3 REPLIES

tacacs preferred over local login, but not able to connect using

Hi,

If you configured the box correctly and TACACS+ server is not reachable then you should be able to login with your local credentials. Make 100% sure that TACACS+ server is not reachable and give it a try.

If this is not the case I think you configured only TACACS+ and did not choose local as the second method.

If you did not save the configuration try reloading the box and try again.

If you are sure about your configuration try console access to the box if it is going to accept your local password (while ACS is not reachable of course).

Hope of of the above will help.

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

Re: tacacs preferred over local login, but not able to connect u

Hi Amjad,

Thanks for the solution.

I did configure the WLC with local login as second preferred method. One strange thing is that thus box is not sending any request to the tacacs server which is confirmed by applying an access list in the switch to which this box is connected. The access list was applied to stop any communication between the two so that the box would accept the local login credentials, but this access lust got no hits...... Logically, when there is no comm. going on between the two, it should accept local login.

Thanks

Tarun

Sent from Cisco Technical Support iPhone App

Re: tacacs preferred over local login, but not able to connect u

Turna:

We need to be careful about what we describe. No hits on the ACL does not necessarily mean that the WLC does not send any request. Rather, it could possibly mean that the access list does not match and the traffic is not being blocked so it reaches TACACS+ server.

The other way to make sure there are no requests is:

- Use sniffer trace.

- Check ACS logs for any failed/passed authentication for TACACS+ traffic from the WLC.

I suggest that you disconnect either WLC or AAA server from the network then try the local credentials one more time. If you are sure your credentials are correct and it did not work this way I have no other idea to proceed except recovering the device to default settings and configuring it again.

If you are not sure if your local credentials are correct or not there is a way to recover the password from console to make sure.

HTH

Amjad

p.s: you can also change your ACL to permit the TACACS+ rather than dropping it. and check if there is any traffic will be caught by the ACL.

Rating useful replies is more useful than saying "Thank you"
440
Views
0
Helpful
3
Replies
CreatePlease login to create content