1

I have TACACS+ working and now I am trying to set it up so that it will failover locally if the TACACS+ server is unavailable.

My goal is for it to check the TACACS server first, then failover if it is not contactable.

It is my understanding that the below configuration line would achieve this, with the word "local" coming AFTER the "group tacacs+" command to achieve this:

aaa authentication login vtymethod group tacacs+ local

Test: I disable the TACACS service on the server and try and authenticate with a local user and am told that the user is not in a group (like it was being rejected by TACACS).

I can achieve the end goal as stated above with the following command line instead:

aaa authentication login vtymethod local group tacacs+

So that it checks if the user is firstly available locally first... it was ALWAYS my understanding that putting it last would allow it to failover and would like TACACS to be checked first...

Any tips on where I am going wrong here?

Lance
  • 281
  • 10
  • 20
  • If you shutdown/unplug/nullroute the tacacs server so it is no longer reachable, does the router fail over correctly? I don't remember exactly what's in the tacacs server health checks, but it could not be failing over because the server is reachable (ping) but not answering tacacs. – cpt_fink Jun 07 '13 at 02:20

4 Answers4

1

The local keyword on the end is correct for failover.

The problem is, is that failover is not instantaneous and takes up to 30 seconds to occur.

Clearly when testing I was not waiting long enough for it to realise that the TACACS server was not available (although I would have thought the mechanism more to be check tacacs, it fails, it failsover)

Lance
  • 281
  • 10
  • 20
0

aaa new-model

aaa authentication login {method} group {server} {fallback}

yes,the fallback should be 'local' to use local database. Probably the tac plus dev guide may answer your question.

CONFIGURING USERS AND GROUPS TACACS+

Each user may belong to a group (but only one group). Each group may in turn belong to one other group and so on ad infinitum. Users and groups are declared as follows. Here we declare two users "fred" and "lily", and two groups, "admin" and "staff".

Fred is a member of group "admin", and group "admin" is in turn a member of group "staff". Lily is not a member of any group.

user = lily { # user lily is not a member of any group # and has nothing else configured as yet }

user = fred { # fred is a member of group admin member = admin }

group = admin { # group admin is a member of group staff member = staff }

group = staff { # group staff is not a member of any group } RECURSION AND GROUPS In general, when the daemon looks up values e.g. passwords, it will look first to see if the user has her own password. If not, it looks to see if she belongs to a group and if so, whether the group has a password defined. If not, this process continues through the hierarchy of groups (a group can be a member of another group) until a value is found, or there are no more groups. This recursive process occurs for lookups of expiration dates, for pap, arap and chap "secrets", and also for authorization parameters (see later).

A typical configuration technique is thus to place users into groups and specify as many groupwide characteristics in the group declaration as possible. Then, individual user declarations can be used to override the group settings for selected users as needed.

http://www.stben.net/tacacs/users_guide.html

haile
  • 1
  • 1
  • hmmmm yeah except that it isn't falling back when local is put last - therein lies my confusion - thanks for the doco though – Lance Jun 05 '13 at 23:36
0

I actually am already doing this with a variety of Cisco switches and routers. Here are the relevant lines of code from the IOS configs.

aaa new-model
aaa authentication login default group tacacs+ local
tacacs-server host **redacted**
tacacs-server directed-request
tacacs-server **redacted**

As you can see, yes you follow "tacacs+" with "local".

As to how long failover takes, when you attempt to authenticate the TACACS source must be unreachable by the router for at least 15 seconds (5 seconds for timeout and 3 attempts to contact the server) before the authentication source will change to local. https://supportforums.cisco.com/discussion/11350726/two-acs-server-failover

user5870571
  • 2,900
  • 2
  • 11
  • 33
-1

From what I remember, local and LOCAL for Cisco are two different things.

local will refer to an object-group called as such.

LOCAL refers to the actual user database stored locally on the Cisco device.

Therefore, your command should read as follow;

aaa authentication login vtymethod group tacacs+ LOCAL

Sorry, it seems this is only true on ASA devices...

Alex
  • 3,079
  • 20
  • 28