TACACS AAA allow only tacacs authenticatication when there is connectivity to tacacs

The syntax is:

aaa authentication login {default | list_name} group {group_name | tacacs+ | radius} [method2] [method3 [method4]]]

So what you are looking for would be:

aaa authentication login default group tacacs local

Reference:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfathen.html#wp1001032

I  should have posted this before.. We do have that syntax; however, people can still login using a local login. We want to stop that from happening unless the device loses connectivity to the ACS server.


aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local

aaa authentication ppp default group tacacs+ local

aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
!
aaa session-id common

Hi dcawood,

I just ran a quick check through the Cisco curriculum for AAA Authentication, this is the configuration they have listed in their lab example:

--------------------

R1# show run
hostname R1
!
aaa new-model
!
aaa authentication login default group tacacs+ none
aaa authentication login telnet_lines group tacacs+
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
!
tacacs-server host 192.168.10.50 key ciscosecret
!
line vty 0 4
login authentication telnet_lines
end

Copyright © 2007, Cisco Systems, Inc

------------------------------

Have you specified the Tacacs server?

tacacs-server host 192.168.10.50 key ciscosecret

Yes I just didn't add the server. I can login via tacacs and local. By adding none to the end will I or likely someon far away be able to login with a local account?

If you add none instead of local it will require the Tacacs authentication and will not allow logging in with local credentials.

Oh, sorry, no the opposite is true, it lets anyone in without authenticating.

"Because the none keyword enables any user logging in to successfully authenticate, it should be used only as a backup method of authentication."

Yep that's what I read on cisco. I'm looking to keep folks off the local till it's neccesary. This way they are foced to use their tacacs credentials.

We have:

aaa group server tacacs+ TACSRV
 server 172.16.111.14
!
aaa authentication password-prompt LCLPassword:
aaa authentication username-prompt LCLUsername:
aaa authentication login TACSRV group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec TACSRV group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 15 default start-stop group TACSRV

line con 0
 login authentication TACSRV
line vty 0 4
 login authentication TACSRV
line vty 5 15
 login authentication TACSRV


If the switch as connectivity to the tacacs+ server you get the normal Username and Password prompts and you can NOT use a local id.

If the switch as NO connectivity to the tacacs+ server you get the LCLPassword and LCLUsername promtps and you need to use a local id.

What authentication do you have setup for you console and vty lines?

qiltjr,

I thought that aaa-new model take out entries from con and vty? Here is what we have.

line con 0
line aux 0
 no exec
line vty 0 4
 exec-timeout 15 0
 privilege level 15
 transport input ssh

No, as per the Cisco example, you have to apply the authentication to the vty lines.

No, you need to add the login authentication to your lines.  You can use login aunthentication default.

found the problem. I just started working here a week ago so Im new to the network. It didnt make sense to me that it was using the local password... because it shouldnt. I checked ACS and there was a admin account with the same user/pass. DOH! Thanks everyone!