First off if I post this in wrong place let me know and I will move the question to better forum area.
I am studying AAA Authentication. I keep hearing it stressed to be aware that its best practice to put “local” on the end of your lines in case your tacacs server or radius server goes down.
For example I setup switch and AAA Server and PC in Boson Simulator to play with and test:
username brian password brian
!
aaa new-model
aaa authentication login auth group tacacs+ local
tacacs-server host 192.168.1.3
!
line con 0
line aux 0
line vty 0 4
login
!
I created a tacacs+ server and added the user auth and created a password for him on the boson.
When I try to connect with the config above it asks for password and then gives login invalid.
So if I change the config for VTY to the following:
line vty 0 4
login authentication auth
It will connect using the authenticaton from the tacacs server and use that password so successful.
So now I wanted to test the “local” thing on the end right? I mean that’s best practices so its suppose to be there in case the tacacs server goes down. So I go into the interface that connects to the tacacs server (fast0/1) and shutdown.
I then try to connect with the Tacacs server down and it does not let me connect via “local” as I was led to belive but instead says:
Trying 192.168.1.1 ...
% Destination unreachable; gateway or host down
c:>
so I cannot telnet if this had not been a test situation I would have been in big trouble with a remote switch or router and not able to reach it.
the AAA only works it seems if you set it up under VTY or Console ect… but the “local” backup command does not seem to work.
I know I can make it use telnet use local by telling it to and using login and a password or using login local but if I do that then that defeats purpose of having local on end of the AAA tacacs command.
I also did something like vty 0 2 and gave that login authentication auth and then vty 3-4 login authentication local. so if vty 0 2 did not work I could get in on vty 3-4.
That is not what they are talking about is it because I could do same thing without adding local to the end of the tacacs command.
Here is some documentation from an exam practice test:
now their lines of text was a bit different from what I was practicing up in my custom lab. they had:
aaa authentication login auth group tacacs+ local
aaa authentication login default group tacacs+
would love some help understanding this so it is actually feasible to use.
Thanks!
-=---------------------------------------------------EDIT::::::::::
Ok I set this up on VIRL and it works… so the Boson simulator software is great for labs but you cannot deviate and go experimenting.
on my cisco VIRL lab I added the following syntax:
switchA#show run
Building configuration…
*Jul 4 00:27:09.870: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 2798 bytes
!
! Last configuration change at 00:27:09 UTC Tue Jul 4 2017
!
version 15.2
!
!
username brian password 0 brian
aaa new-model
!
!
aaa authentication login default group tacacs+ local
line con 0
line aux 0
line vty 0 4
!
!
end
note: I did not add anything to the line vty 0 4 it did not allow for it but I didn’t have to. I was able to telnet from my hostA to Switch A and it asked for username and password and I entered the local username and password and it worked!
To test this I removed the local from the end of syntax:
!
!
username brian password 0 brian
aaa new-model
!
!
aaa authentication login default group tacacs+
!
!
!
this time it gave me error and would not let me:
HostA#telnet 192.168.1.2
Trying 192.168.1.2 … Open
% Authentication failed
% Authentication failed
% Authentication failed
[Connection to 192.168.1.2 closed by foreign host]
HostA#
I also tested this with “enable” and the “line” instead of “local” and it used the enable, and the line password and worked fine as well. =)
So it is working as intended the only difference is I don’t have to add the line VTY 0 4 commands they don’t exist on my VIRL switch. I don’t know if that’s because the Cisco VIRL is using a newer IOS than the one emulated in the BOSON software or something else but it does seem to be working as I would understand it to.
I love the boson software for pre configured labs but not for experimenting, have to create a cisco VIRL test lab for that. The reason I like the boson is its fast and easy but in the end its not the real stuff so you cannot go deviating much on it.