This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Login fallback to local user even tacacs configured

Login fallback to local user even tacacs configured

pgimer
New Contributor

‎03-10-2023 01:29 AM

We configured TACACS over Extreme Switch but you can also log in with a local account.

My Configuration is 

configure tacacs primary server 172.16.11.52 49 client-ip 172.16.0.10 vr VR-Default
configure tacacs primary shared-secret encrypted "#$H4H5oLIn4H+TRgtYrxiHVtFwGtljZw=="
configure tacacs-accounting primary server 172.16.11.52 49 client-ip 172.16.0.10 vr VR-Default
configure tacacs-accounting primary shared-secret encrypted "#$hp08PEW0oz0kZBjQaP0bHYqBdCcqSg=="
enable tacacs
configure tacacs timeout 60
enable tacacs-accounting
enable tacacs-authorization
configure tacacs fallback disallow
configure tacacs priv-lvl required
create account admin cisco encrypted "$5$sRVgQN$aL8UAzkEwMLmGPy82v1On6QLuvBeKdjVQGCRsUmcjq3"

 

0 Kudos
1 REPLY 1

Gabriel_G
Extreme Employee

‎03-10-2023 07:49 AM

Hello!

Generally this issue is due to the TACACS+ server not replying with a 'fail' or 'accept' message. It is probably sending something else in response leading the switch to think that the server is not working, therefore, it falls back to local authentication.

 

These articles may be helpful:
https://extremeportal.force.com/ExtrArticleDetail?an=000093509

https://extremeportal.force.com/ExtrArticleDetail?an=000082285

You may also need to collect a PCAP of the TACACS+ exchange, decode it via wireshark, and see what the TACACS server is replying with. If it is not a 'Fail' or 'Accept', that would be the issue.

 

Hope that helps!

0 Kudos
GTM-P2G8KFN