TACACS AAA allow only tacacs authenticatication when there is connectivity to tacacs

Is there a command that will force users to use tacacs when there is connectivity to tacacs? We still want to use the local user/pass when there is no connectivity but do not want users to login in with that local account when tacacs is available.
dcawoodAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RunningGagCommented:
The syntax is:

aaa authentication login {default | list_name} group {group_name | tacacs+ | radius} [method2] [method3 [method4]]]

So what you are looking for would be:

aaa authentication login default group tacacs local

Reference:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfathen.html#wp1001032
0
dcawoodAuthor Commented:
I  should have posted this before.. We do have that syntax; however, people can still login using a local login. We want to stop that from happening unless the device loses connectivity to the ACS server.


aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local

aaa authentication ppp default group tacacs+ local

aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
!
aaa session-id common
0
RunningGagCommented:
Hi dcawood,

I just ran a quick check through the Cisco curriculum for AAA Authentication, this is the configuration they have listed in their lab example:

--------------------

R1# show run
hostname R1
!
aaa new-model
!
aaa authentication login default group tacacs+ none
aaa authentication login telnet_lines group tacacs+
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
!
tacacs-server host 192.168.10.50 key ciscosecret
!
line vty 0 4
login authentication telnet_lines
end

Copyright © 2007, Cisco Systems, Inc

------------------------------

Have you specified the Tacacs server?

tacacs-server host 192.168.10.50 key ciscosecret
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

dcawoodAuthor Commented:
Yes I just didn't add the server. I can login via tacacs and local. By adding none to the end will I or likely someon far away be able to login with a local account?
0
RunningGagCommented:
If you add none instead of local it will require the Tacacs authentication and will not allow logging in with local credentials.
0
RunningGagCommented:
Oh, sorry, no the opposite is true, it lets anyone in without authenticating.

"Because the none keyword enables any user logging in to successfully authenticate, it should be used only as a backup method of authentication."
0
dcawoodAuthor Commented:
Yep that's what I read on cisco. I'm looking to keep folks off the local till it's neccesary. This way they are foced to use their tacacs credentials.
0
giltjrCommented:
We have:

aaa group server tacacs+ TACSRV
 server 172.16.111.14
!
aaa authentication password-prompt LCLPassword:
aaa authentication username-prompt LCLUsername:
aaa authentication login TACSRV group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec TACSRV group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 15 default start-stop group TACSRV

line con 0
 login authentication TACSRV
line vty 0 4
 login authentication TACSRV
line vty 5 15
 login authentication TACSRV


If the switch as connectivity to the tacacs+ server you get the normal Username and Password prompts and you can NOT use a local id.

If the switch as NO connectivity to the tacacs+ server you get the LCLPassword and LCLUsername promtps and you need to use a local id.
0
giltjrCommented:
What authentication do you have setup for you console and vty lines?
0
dcawoodAuthor Commented:
qiltjr,

I thought that aaa-new model take out entries from con and vty? Here is what we have.

line con 0
line aux 0
 no exec
line vty 0 4
 exec-timeout 15 0
 privilege level 15
 transport input ssh
0
RunningGagCommented:
No, as per the Cisco example, you have to apply the authentication to the vty lines.
0
giltjrCommented:
No, you need to add the login authentication to your lines.  You can use login aunthentication default.
0
dcawoodAuthor Commented:
found the problem. I just started working here a week ago so Im new to the network. It didnt make sense to me that it was using the local password... because it shouldnt. I checked ACS and there was a admin account with the same user/pass. DOH! Thanks everyone!
0
giltjrCommented:
I'm fairly sure you still need to say what login authentication to use.

Of course sense our name is not "default" could be the reason we must specify ours.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.