I am going through the exam topics that I did not do so well on and I found this topic, but I haven’t found any information about it on this website. I was hoping someone could elaborate on this topic for me. I assume it is a a method of using local usernames and passwords configured on the Cisco device when the radius server or Tacacs+ server is unavailable.
Hello Kevin
The local privilege authorization fallback does indeed have to do with a method of using the local usernames and passwords to authorize users into the device in the event that a RADIUS or TACACS+ server is unavailable. This can be done using the following command for example:
aaa authorization exec default group tacacs+ local
By listing the sources of authorization in order, we can state that the local database is the fallback method. Now this allows authorization via the configured tacacs+ and if that is unavailable, it will use the local database.
Now there is an additional parameter that you can use, and this can be seen here:
aaa authorization exec default group tacacs+ local if-authenticated
The if-authenticated keyword is used here for situations where a user has been authenticated using TACACS+ however, during the session, the TACACS+ server goes down, the user can still continue doing configuration. If this option is not added, once the TACACS+ server goes down, authorization fails, and the user is no longer authorized and cannot continue to configure.
Both of these concepts are included in this specific exam topic.
I hope this has been helpful!
Laz
Laz,
Thank you so much for your reply! I am glad I have some configuration examples to look at now. I understand this topic much better and look forward to labing it up!
Thanks,
Scott Weller
1 Like