Cisco 3550 with tacacs+

[ITRLM]

Have a Cisco 3550 that has tacacs+ authentication setup on it. When the Cisco ACS goes down, I can not login local to it and it appears that it goes into a loop trying to find the ACS. Here is what I have setup. Can someone please tell me what I have wrong here?

enable secret 5 XXXXXXXXXXX
!
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization exec default group tacacs+ local
!
aaa session-id common
_______________
tacacs-server host x.x.x.x timeout 20
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 **********
radius-server source-ports 1645-1646

Any help will be greatly appreciated.

 

[North323]

config t
no aaa new-model
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting network default start-stop group tacacs+
aaa authorization exec default group tacacs+ local

 

[ITRLM]

Put in the settings you suggested and now I get prompted for a username and password and nothing I type in works.

Do I need to put in

line con 0
exec-timeout 0 0
password 7 XXXXX
login

Will this allow me to get in through Console when tacacs+ is down?

 

[North323]

what does the ACS log say? is the ACS down? which username are you using? you do not need that for lin con 0: here is my working config:

step 1
config t
username admin password password
enable secret password

step 2
config t
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting network default start-stop group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 10 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

tacacs-server host 172.x.x.x
tacacs-server host 172.x.x.x
tacacs-server attempts 5
tacacs-server key password
end
wr mem

*************************************************************

additions to ACS

double click Cisco Secure ACA on desktop
Click on network configuration
Add Entry
Add the AAA Client Hostname
Add which ever switch or router with correct IP address
Add key password
Click 'Submit + Restart'

 

[unclerico]

do you have a local username/password defined on the device??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ITRLM]

I do not have a local username and password defined. The goal is to use tacacs+ when connected to a network with no other way to get in, but if tacacs+ is to go down, we want to be able to console into the devices. The device I am currently working on is no connected to the network at this time so there is no ACS log for it.

 

[North323]

you need a local password regardless how you are going to log in

 

[vipergg]

If you have vty passwords defined and enable secret it will default to those if you use the following.

aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable