ACS AAA and LOCAL AAA database...

Hello,
We have implimented an 5520 device and configured it for ACS successfully. I want to also have a local database with a few accounts in the event our ACS server went down. I am having trouble finding documentation for the syntax I need to enter on this 5520 device configuration so I can have redundacy for AAA...can some help with this? TIA, Gary

Hi ,
Check this example
aaa-server SERVER protocol tacacs+
aaa-server SERVER host 1.1.1.1
key $har3dK3y
This command applies the server group to the vty or
console lines:
==========
aaa authentication ssh console SERVER LOCAL <---
For SSH sessions
aaa authentication serial console SERVER LOCAL
<--- For console access
Hope that helps
Regards,
JG~
Please rate helpful posts

Similar Messages

  • Nexus 7000 aaa and local authentication

    Hello,
    I tried to configure aaa (with radius) and local user authentication on a Nexus 7004 (Version 6.2(6a)), but did not get it to work.
    Radius authentication is working fine(!), but I can't Login with a local created user (role vdc-Operator).
    Any help is highly appreciated.
    Kind regards,
    Andreas

    Hi,
    yes, I know that the fallback will jump in when no radius-Server responds, but I need the behaviour like the 6500'er (or 4500) act.(btw. local login works if radius is disabled, or local is the default, but if local is the default, radius Login no longer works) - Only one of the method at a time works.
    On the 6500 I configured aaa with Windows NPS-Server and a local user (e.g. for the Cisco-LMS). This works fine. Even if the radius server is available, i can log into the device (via ssh) with the locally defined user-account.
    What I miss is a kind of the command:
    "aaa authentication login default local group radius"
    "aaa authentication enable default enable"
    (which works on the WS-C6509 or  WS-C4500X).
    Is there any chance to get this work on the Nexus7000?
    Kind regards,
    Andreas

  • AAA and local user authentication

    Hi,
    I already have AAA authentication setup on my switch. And I can use local users to login when the AAA server is unreachable.
    But I want to know if it is possible to use local users even when the AAA server is reachable. Something like first it checks the local users databse and if the user does not exists then fallback to AAA or vice versa.
    Thanks.

    Ismail, the authentication method you define act as a service. So only when the service is not avilable the method fallback to the next methond you define.
    So in your case if the user account is not present in the local data base it will not fallback to aaa server.
    aaa authentication login default local group radius
    The same holds true if the user account is not there in the aaa server
    aaa authentication login default group radius local
    Only when the aaa server is not responding (service downe or not reachable) it will fallback to the local database.
    Hope this helps!

  • AAA and ISE

    Hi All,
    Where do I configure primary AAA and secondary AAA at ISE?
    According to deployments guide Fig 1-6. Dispersed Deployment
    http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.pdf
    If we are using AD.. then AAA solution is RODC?
    Thanks,
    John

    Hello,
    Yes you can also use Cisco Catalyst 3560 to configure AAA and RADIUS. You can configure MAB, DOt1X and CWA.
    Please refer to below link which might help you.
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html

  • PIX 525 aaa authentication with both tacacs and local

    Hi,
    I have configured the aaa authentication for the PIX with tacacs protocol (ACS Server).
    It works fine, now i would like to add the back up authentication, as follows:
    - If the ACS goes down i can to be authenticated with the local database.
    Is it possible with PIX, if yes how?

    Hi,
    I am trying to configure aaa using TACACS+ , i am not able to close.Problems are
    1.It dosent ask for username /password in first level.
    2.on second level it asks for user name it dosent authenticate the user .
    Cud u pls let me know if the following config is correct.If not cud u help me .
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
    aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
    aaa authen enable console TACACS+

  • FWSM: AAA authentication using TACACS and local authorization

    Hi All,
    In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
    We have created users on TACACS and  not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
    Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list".  I have specifically mentioned this
    "privilege show level 1 mode exec command access-list"  in the config.
    Is there anything i am missing or is there any other way of doing it?
    Thanks.

    You cannot do what you are trying to do. For (default login you need to use the first policy matched.
    you can diversify telnet/ssh with http by  creating different aaa groups.
    But still you will be loging in for telnet users (all of them) using one method.
    I hope it is clear.
    PK

  • AnyConnect and IKEv2 with IOS Local AAA

    Hi,
    Is it possible to utilise AnyConnect IKEv2 (terminating on an ASR1k) with the IOS Local AAA feature authenticate remote access using EAP-MD5, or is an external RADIUS server required to support user authentication? I was hoping to develop a standalone proof-of-concept using IOS Local AAA (with aaa attribute lists where appropriate) to store RADIUS 'User' and 'Group' profiles. However, I suspect I can only store the 'Group' profiles locally, and the user authentication requires an external RADIUS server supporting EAP-MD5 to support the tunnel method?
    Cheers,
    Matt

    Your NAT is nearly correct. There are just two small things:
    1) What do you want to achive with this rule and the corresponding ACL? "permit ip any any" on the outside interface is probably a bad idea. Better to configure the needed ports directly with object NAT and specific ACL-lines.
    nat (inside,outside) source static WAN interface
    2) The NAT-exemtion is nearly fine. This NAT-rule is typically configured with two more parameters:
    nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup

  • Same user in tacacs and local database with different privilege

    Hi there,
    i am just not sure if this is correct behavior.
    i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.
    i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.
    aaa authentication login default group ACS
    aaa authorization commands default group ACS local
    aaa accounting default group ACS
    a user test with priv 15 is craeted on ACS server, password test2
    everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after )
    e.g.:  
    username test password test1 role priv-0   (note passwords are different for users in both databases)
    after i create the same user in local database with privilege 0,
    if i try to connect to the switch with this username test and password defined on ACS,  i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
    is this normal?
    thank you for help...

    Hello.
    Privileges are used with traditional IOS. Privileges are part of "command authorization". Other operating systems (like IOS-XR, Nexus OS , Juniper JunOS) use "role-based authorization" instead of "command authorization".
    So traditional IOS can use the "privilege" attribute but other operating systems can not.
    Although IOS-XR, Nexus, ACE, Juniper  have "roled-based authorization" feature, every single one of them use their particular attributes.
    When I was configuring TACACS with ACE, Juniper and other devices I had to capture the packets to find out what were the particular attributes of ACE, what were the particular attributes of JunOS, etc, etc and to search deeply some hints the documentation , because sadly  documentation is not very good when talking about TACACS details.
    If you find which attributes to use, and what values to assign to the attributes then you can go to ACS and configure a "Shell Profile".
    Now back to Nexus 5000. It seems this particular device has the option to mix "role-based" with "command authorization" by overriding the default roles with other roles which names are called "priv". It seems this was an effort to try to map the old concept of "privileges" to the new concept of "roles". Although you see the word "priv", it's just the name of the role. My particular point of view is that this complicates the whole thing. I would recommend to use just the default roles, or customize some of them (only if needed), but not to use "command authorization".
    http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/security/502_n1_1/Cisco_n5k_security_config_gd_rel_502_n1_1_chapter5.html
    I will search the particular attributes Nexus use to talk to TACACS server. If I got them I will post them here.
    Please rate if it helps

  • WLC Flexconnect with AAA and MAC authentication

    hi,
    i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
    my question is i am having  Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
    My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
    one more question,
    is it possible to make each AP seperate MAC filters On the WLC.
    thanks
    cyril

    If you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
    In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
    Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
    Hope this clears you doubts!!!
    Note: Please do not forget to rate and accept as solution incase the post is valid.

  • ACS 4.2.0 AAA-server-IP-address changing to 169.254.x.x

    Hello,
    I have ACS 4.2.0.124.15   installed on a windows server 2008.
    In the configuration menu : network config > AAA server , the AAA-server-IP-address change to 169.254.x.x each time I disconnect the  ethernet interface of the server.
    Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.
    Whe I reconnect the ethernet interface of the server, it stays in 169.154.x.x.  And I need to reconfigure the real static adresse each time.
    Do you knows this problem. Is it a way to avoid it ?
    Michel Misonne

    Hello,I have ACS 4.2.0.124.15   installed on a windows server 2008.In
    the configuration menu : network config > AAA server , the
    AAA-server-IP-address change to 169.254.x.x each time I disconnect the
    ethernet interface of the server.Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.Whe
    I reconnect the ethernet interface of the server, it stays in
    169.154.x.x.  And I need to reconfigure the real static adresse each
    time.Do you knows this problem. Is it a way to avoid it ?Michel Misonne
    Hi Michel,
    It was issue in ACS 1113 SE Appliance and clear solution for the above is mentioned in the below link
    http://www.ciscosystems.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#stat
    HTH
    Ganesh.H

  • AAA and 3560 Switch + CNA

    Hi
    Has anyone got this to work?
    CNA. (Cisco Networks Assistants) and AAA (Tacacs+) on a 3560 switch.
    I can’t get the CNA to work in this setup but it works fine on together with 3500XL and 3550 serie switch. With the same parameter.
    this is the aaa conf.
    aaa authentication login default group tacacs+ local
    aaa authentication login no_tacacs enable
    aaa authentication enable default enable group tacacs+ none
    aaa authorization exec default group tacacs+ local
    aaa authorization exec no_tacacs none
    aaa authorization commands 15 default group tacacs+ if-authenticated local
    aaa authorization commands 15 no_tacacs none
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    ip http server
    ip http authentication aaa

    Hi
    No. I get the prompt for username and password.
    and hit enter. Then nothing happens. It looks like it's trying to build the network but it never get fines. I know it works without the aaa statement. But I can’t live with that.

  • AAA and TACACS servers

    Hello All,
    I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.

    You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
    ACS v4.2.0.124 90-Days Evaluation Software
    eval-ACS-4.2.0.124-SW.zip
    http://tools.cisco.com/squish/9B37e
    Path:
    Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
    > Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • AAA confusion - local username access

    Hey all,
    I am a little confused.
    I have the following commands on my device:
    username blah privilege 15 secret 5 blah!@#$%%
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization config-commands
    aaa authorization commands 0 default group tacacs+
    aaa authorization commands 15 default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default stop-only group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    Everything works fine.
    However when I bring down the TACACS server I am able to login into the device with the local username but it fails when I enter the enable command. How can I have access when in case of emergency that TACACS fails? I have researched online and have tried multiple commands. Is there anything I am missing? I do have an enable secret password configured as well. But don't even get a chance to enter. when entering "en" at > prompt:
    % Authentication failed.
    Thanks in advance for your help.
    My testing has led to frustration.

    Hi Geo,
    First please give the fall back method for command 0.
    aaa authorization commands 0 default group tacacs+
    add local
    aaa authorization commands 0 default group tacacs+ local
    Make sure you are putting in right enable password, try to reset it and give it a shot.
    If issue is there then get the output of debug tacacs and debug aaa authentication
    Regards,
    ~JG
    Do rate helpful posts

  • Local aaa privileges

    I want to be able to set up
    read only access to one of our cisco routers while letting the other users still be able to get into enable and config mode.
    My current config ( without the read only access user) is as follows
    aaa new-model
    aaa authentication login default local-case
    aaa authentication login NO_AUTHENT none
    aaa authorization exec default local
    username x password y
    Thank you.

    Hi,
    I tried that on a test router logging into the console port and I could not log in with a privilege level of 1.  I could log in with a privilege level of 3.  However, it let me make changes to the router in config mode. My goal is to allow the account to run show commands on the router and have read only access.
    Thoughts?

  • AAA and TACACS on everything BUT NOT console

    Would like to enable login authentication AND enable authentication on VTY but NOT console. Console should authenticate locally for both user and privilige modes ... I can't seem to seperate the 'enable' piece ... any thoughts?

    I do not think you can separate method list for
    the enable piece. I've asked Cisco about this
    in the past and they told me that it is not
    possible. You can have a different method list
    for the console for the "exec" mode but not
    the enable or privilege mode. It is either
    "tacacs" or "enable" or some other
    combinations but not a separate method list for "enable" by itself. Maybe cisco added
    this new feature in 12.4. I've my my testing
    on both 12.2T and 12.3T and, IMHO, it is not
    possible to separate the enable piece. Here
    is my config:
    username cisco password cisco
    enable secret cisco
    aaa authentication login notac local
    aaa authentication login VTY group tacacs+ local
    aaa authentication login web local enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec notac none
    aaa authorization exec VTY group tacacs+ if-authenticated none
    aaa authorization commands 0 VTY group tacacs+ if-authenticated none
    aaa authorization commands 1 VTY group tacacs+ if-authenticated none
    aaa authorization commands 15 VTY group tacacs+ if-authenticated none
    aaa authorization network VTY group tacacs+ if-authenticated none
    aaa accounting exec TAC start-stop group tacacs+
    aaa accounting exec VTY start-stop group tacacs+
    aaa accounting commands 0 TAC start-stop group tacacs+
    aaa accounting commands 0 VTY start-stop group tacacs+
    aaa accounting commands 1 TAC start-stop group tacacs+
    aaa accounting commands 1 VTY start-stop group tacacs+
    aaa accounting commands 10 TAC start-stop group tacacs+
    aaa accounting commands 15 TAC start-stop group tacacs+
    aaa accounting commands 15 VTY start-stop group tacacs+
    aaa accounting network VTY start-stop group tacacs+
    aaa accounting connection TAC start-stop group tacacs+
    aaa session-id common
    line con 0
    exec-timeout 0 0
    authorization exec notac
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    logging synchronous
    login authentication notac
    line vty 0 15
    exec-timeout 0 0
    authorization commands 0 VTY
    authorization commands 1 VTY
    authorization commands 15 VTY
    authorization exec VTY
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    login authentication VTY

Maybe you are looking for

  • Unable to fetch data in embedded Xcelsius PDF file on disconnected system

    I have an Xcelsius 2008 document with QaaWS. I am able to export it to the PDF and fetch data using QaaWS. I would like to know, it is possible for the embedded Xcelsius file in PDF to fetch data when the PDF file is sent to customers outside the net

  • Wait Time / Timeout Time in waiting events

    Hi, From manual, I came to know that some of waiting events having wait time or time out duration. I have not understood, what happens if it has reached timeout. What happens next ? ( Will you explain in more detail ). It saysl it will renew wait eve

  • How do I listen non-stop my music on my computer? I choose the option "repeat" but after a while, it stop playing

    I would like to listen to my music without having to go back to my computer  once in a while and touch the option "play" again.  If I just let it go, even if I choose the option REPEAT, the music will stop.  I know it may have something to do with th

  • Import Catalog from Lightroom 4 to Lightroom 5

    Hi, I have just bought Lightroom 5 to replace my Lightroom 4. For one reason or another, it was cheaper for me to buy a new version, rather than an upgrade. What is the best way to get Lightroom 5 to use my Catalogue from Lightroom 4? I am thinking,

  • MDM 7.1 not able to open in MDS console

    Hello, From MDM console, i'm trying to have DBMS Setting of Oracle 10.2.0.4, but it is giving me error as Database not connected, when i checked in logs file, it is giving me "Oracle Initialization Failed -- likely missing libraries/dlls". "ERROR COD