Cisco – TACACS+ – Cisco Router – Failover to local database not operating as it should

authenticationciscotacacs

I have TACACS+ working and now I am trying to set it up so that it will failover locally if the TACACS+ server is unavailable.

My goal is for it to check the TACACS server first, then failover if it is not contactable.

It is my understanding that the below configuration line would achieve this, with the word "local" coming AFTER the "group tacacs+" command to achieve this:

aaa authentication login vtymethod group tacacs+ local

Test: I disable the TACACS service on the server and try and authenticate with a local user and am told that the user is not in a group (like it was being rejected by TACACS).

I can achieve the end goal as stated above with the following command line instead:

aaa authentication login vtymethod local group tacacs+

So that it checks if the user is firstly available locally first… it was ALWAYS my understanding that putting it last would allow it to failover and would like TACACS to be checked first…

Any tips on where I am going wrong here?

Best Answer

I actually am already doing this with a variety of Cisco switches and routers. Here are the relevant lines of code from the IOS configs.

aaa new-model
aaa authentication login default group tacacs+ local
tacacs-server host **redacted**
tacacs-server directed-request
tacacs-server **redacted**

As you can see, yes you follow "tacacs+" with "local".

As to how long failover takes, when you attempt to authenticate the TACACS source must be unreachable by the router for at least 15 seconds (5 seconds for timeout and 3 attempts to contact the server) before the authentication source will change to local. https://supportforums.cisco.com/discussion/11350726/two-acs-server-failover

Related Solutions

Cisco – Passwordless Kerberos management of Cisco devices

A long time ago, yes, I did get it to work with some Cisco terminal servers I set up. However, I no longer use it for very simple reasons, not the least of which is, when the network has gone to hell, the fewer moving parts I need to have up in order to log into a router, the better.

The quick answers from memory:

Yes.
I believe there was either an explicit ordering or implicit one. Somewhere. I seem to remember local passwords working in preference to remote ones.
Kerberos requires you to place data on the IOS gear (the machine's SRVTAB) which you will want to change if the gear is swapped out, and remove the old key from your Kerberos database. However, this is a change that users (via telnet) won't see a change.
If memory served, the enable password was not Kerberos-capable.

Once again, this is all from memory, several years old at least.

Cisco – Can somebody please explain IOS line authentication

line and enable are additional methods of authentication that will be attempted after failure of the previous methods in the list.

line authentication uses a password that's defined in your line configs, so it can vary based on your connection method. enable authentication simply uses the enable password defined in the enable password command.

Here's a reference of the methods available for the authentication list:

(config)#aaa authentication login default ?
  cache        Use Cached-group
  enable       Use enable password for authentication.
  group        Use Server-group
  krb5         Use Kerberos 5 authentication.
  krb5-telnet  Allow logins only if already authenticated via Kerberos V
               Telnet.
  line         Use line password for authentication.
  local        Use local username authentication.
  local-case   Use case-sensitive local username authentication.
  none         NO authentication.

Best Answer

Related Solutions

Cisco – Passwordless Kerberos management of Cisco devices

Cisco – Can somebody please explain IOS line authentication

Related Topic