cancel
Showing results for 
Search instead for 
Did you mean: 

Login fallback to local user even tacacs configured

Login fallback to local user even tacacs configured

pgimer
New Contributor

We configured TACACS over Extreme Switch but you can also log in with a local account.

My Configuration is 

configure tacacs primary server 172.16.11.52 49 client-ip 172.16.0.10 vr VR-Default
configure tacacs primary shared-secret encrypted "#$H4H5oLIn4H+TRgtYrxiHVtFwGtljZw=="
configure tacacs-accounting primary server 172.16.11.52 49 client-ip 172.16.0.10 vr VR-Default
configure tacacs-accounting primary shared-secret encrypted "#$hp08PEW0oz0kZBjQaP0bHYqBdCcqSg=="
enable tacacs
configure tacacs timeout 60
enable tacacs-accounting
enable tacacs-authorization
configure tacacs fallback disallow
configure tacacs priv-lvl required
create account admin cisco encrypted "$5$sRVgQN$aL8UAzkEwMLmGPy82v1On6QLuvBeKdjVQGCRsUmcjq3"

 

1 REPLY 1

Gabriel_G
Extreme Employee

Hello!

Generally this issue is due to the TACACS+ server not replying with a 'fail' or 'accept' message. It is probably sending something else in response leading the switch to think that the server is not working, therefore, it falls back to local authentication.

 

These articles may be helpful:
https://extremeportal.force.com/ExtrArticleDetail?an=000093509

https://extremeportal.force.com/ExtrArticleDetail?an=000082285

You may also need to collect a PCAP of the TACACS+ exchange, decode it via wireshark, and see what the TACACS server is replying with. If it is not a 'Fail' or 'Accept', that would be the issue.

 

Hope that helps!

GTM-P2G8KFN