cancel
Showing results for 
Search instead for 
Did you mean: 

Cannot login with local account when TACACS is enabled

Cannot login with local account when TACACS is enabled

radicvedran
New Contributor

When TACACS is enabled I cannot login with local account. When I disable TACACS, local login is OK. I cannot seem to find the command which would configure order of authentication, or allow both options - if there is one. I'm a beginner with Extreme devices. I'd appreciate any advice.

OS: 16.2.5.4-patch1-20

Model: X670V-48x and X670-48x

Regards,
Vedran

2 ACCEPTED SOLUTIONS

Robert_Haynes
Extreme Employee

Not a switch expert.

However I think this is design intent. As long as the TACACS server is reachable local fallback will not be possible. Only if the TACACS server is actually down / fully blocked will local management authentications allow fallback to local accounts. Same for RADIUS - if the RADIUS server responds with Access-Reject / is reachable - fallback to local accounts will not work.

View solution in original post

WillyHe
Contributor

Correct Robert.

The idea is to get authenticated by TACACS or NAC, then every network manager has his personal log-in and access level.
The local account(s) should have a difficult to remember log-in that is kept in a safe place.

When the login of a TACACS/NAC users is known by others, the login can easily be changed or blocked in the TACACS/NAC.
When the same happens with the local log-in then you must change log-in on ALL devices, when it are few it is doable but when it are hundreds ... .

hope it helps
WillyHe

View solution in original post

3 REPLIES 3

radicvedran
New Contributor

thx all

WillyHe
Contributor

Correct Robert.

The idea is to get authenticated by TACACS or NAC, then every network manager has his personal log-in and access level.
The local account(s) should have a difficult to remember log-in that is kept in a safe place.

When the login of a TACACS/NAC users is known by others, the login can easily be changed or blocked in the TACACS/NAC.
When the same happens with the local log-in then you must change log-in on ALL devices, when it are few it is doable but when it are hundreds ... .

hope it helps
WillyHe

Robert_Haynes
Extreme Employee

Not a switch expert.

However I think this is design intent. As long as the TACACS server is reachable local fallback will not be possible. Only if the TACACS server is actually down / fully blocked will local management authentications allow fallback to local accounts. Same for RADIUS - if the RADIUS server responds with Access-Reject / is reachable - fallback to local accounts will not work.

GTM-P2G8KFN