I was under the impression:
aaa authentication login default group tacacs+ local
Means TACACS+ is up and happy, use that. If TACACS+ returns ERROR, use local credentials. This is good.
However, I figures this also meant deny local authentication if TACACS+ is up and functioning. But I can still login using local credentials even when TACACS+ is up and functioning. Is there a way I can disable this?
Thanks-
Mike
If authentication fails against the TACACS database no futher AAA method should be used. If it is being used then it is a bug.
"A FAIL response is significantly different from an ERROR. A FAIL means that the user has not met the criteria contained in the applicable authentication database to be successfully authenticated. Authentication ends with a FAIL response. An ERROR means that the security server has not responded to an authentication query. Because of this, no authentication has been attempted. Only when an ERROR is detected will AAA select the next authentication method defined in the authentication method list."
Turns out for some reason, although it succesfully logging in users, FAILs were timing when communicating with ACS. I noticed this by turning tacacs debugging on.
Bumping the time-out value to 10 seconds took care of it. Our ACS servers may need a good kick.
However, couldn't this be used for a tim> Mike wrote:
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.