Configuring AAA fallback to local on Nexus 9k

rpatnaik_slf · ‎04-04-2016

To Whom it May Concern,

I've configured the following:

!

tacacs-server key abcdefg
tacacs-server host x.x.x.x timeout 5
tacacs-server host y.y.y.y timeout 5
aaa group server tacacs+ tacacs
server x.x.x.x
server y.y.y.y
use-vrf management

source-interface mgmt0

!

aaa authentication login default group tacacs
aaa authorization commands default group tacacs local
aaa accounting default group tacacs

!

username admin password 5 $5$FGFIEN$6.3JWzAkkhZvxNrbd6pB6P6UqFULglpyhgJgwq9WQbA role network-admin
!

What I'm looking at is to ensure that fallback works when TACACS+ is enabled. However, I shouldn't be able to use the "admin" account even when tacacs is working. What am I doing wrong? It seems that "admin" is allowed still with TACACS working.

Cheers,

Rash

aydinnmu1 · ‎04-05-2016

Hi,

aaa works order of method types.

if no response at one method pass to another method and vice versa.

if fail at one method dont pass another method and reject.

you defined for authentication one method as group tacacs. and if tacacs authentication is failed you take a message authentication fail.

You should add to configuration

aaa authentication login default group tacacs local

or you should define an user in tacacs user that name is admin.

Best regards.

rpatnaik_slf · ‎04-28-2016

There is default support for "local". You do not have to specifically identify it. This provided I agree with you to have the "admin" name defined in TACACS. Unfortunately, I do not have access to that server.