Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLC s/w v4.1 and TACACS unreachable

In,

Cisco WLC_Config Guide_Web & CLI_Release 4.1

it says,

"If the TACACS+ authorization server becomes unreachable or unable to authorize, users are unable to log into the controller."

Does this mean it does not support a fail-safe password like IOS does where the Enable password can be used to get into a router if TACACS+ is unreachable?

3 REPLIES
Silver

Re: WLC s/w v4.1 and TACACS unreachable

Hi Mark,

No, the local database is always queried first.

Please read Chapter 5 and the section on configuring TACACS:

"You can specify the order of authentication when multiple databases are configured, click Security > Priority Order > Management User. The Priority Order > Management User page will appear."

It goes on further to explain:

For Authentication Priority, choose either Radius or TACACS+ to specify which server has priority over the other when the controller attempts to authenticate management users. By default, the local database is always queried first. If the username is not found, the controller switches to the TACACS+ server if configured for TACACS+ or to the RADIUS server if configured for Radius. The default setting is local and then Radius."

Hope this helps.

Paul

New Member

Re: WLC s/w v4.1 and TACACS unreachable

Hi Paul,

Thankyou for your clarification.

Now I realised I asked a silly question.

I can't see the value in Cisco's statement,

"If the TACACS+ authorization server becomes unreachable or unable to authorize, users are unable to log into the controller."

They ***are*** able to if they know the local account credentials, right?

Regards, MH

Silver

Re: WLC s/w v4.1 and TACACS unreachable

Hi Mark,

Firstly, your question wasn't silly. Cisco documentation is notorious for sometimes being vague. I suppose if the same person wrote the documentation for every product there might be some recognizable consistency, but as we all know this is impossible.

Secondly, you are correct when you say that people are able to log into the controller if they know the local credentials.

Hope this helps.

Paul

207
Views
5
Helpful
3
Replies
CreatePlease to create content