TACACS+ failover 1

[likes2hack]

I have Cisco ACS 2.4 providing username / password authentication for my 2514 for vty connections. I have defaulted my con login to prompt for local enable password. This works well for me.

The only problem is if the ACS server is dead then no one can telnet in. Specifically is there a way to have my vty default to TACACS but roll over to local username / password if the TACACS is not there?

Right now if you telnet in and the TACACS is not responding then you get a %authentication failed error. I'd rather it realize the TACACS is not responding and switch to local authentication. How do you command this in the IOS?

Thanks.

 

[croth]

Check you have the following
aaa new-model
aaa authentication login default tacacs+ local
aaa authentication login localcon local
aaa authentication login telnet tacacs+ local
aaa authentication login async tacacs+ local
aaa authentication ppp default tacacs+ local
aaa authorization exec default tacacs+ local
aaa authorization exec telnet tacacs+ local
aaa authorization network default tacacs+ local
aaa authorization reverse-access default none
aaa accounting exec default start-stop tacacs+
aaa accounting network default start-stop tacacs+

Also add the this line to Line VTY :login authentication telnet
If the TACACS fails it will use a local authentication so add a username and password locally.

 

[likes2hack]

You showed me the problem. I was only authenticating and authorizing "tacacs+" when it should have been "tacacs+ local" (or tacacs+ enable). I couldn't remember how to specify more than one type of authorization and authentication. For some reason I was thinking it was an additional command line instead of just another command on the same line.