This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- General Network Management
- Re: Cannot login with local account when TACACS is...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cannot login with local account when TACACS is enabled
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-15-2022 01:31 PM
When TACACS is enabled I cannot login with local account. When I disable TACACS, local login is OK. I cannot seem to find the command which would configure order of authentication, or allow both options - if there is one. I'm a beginner with Extreme devices. I'd appreciate any advice.
OS: 16.2.5.4-patch1-20
Model: X670V-48x and X670-48x
Regards,
Vedran
Solved! Go to Solution.
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-16-2022 05:40 AM
Not a switch expert.
However I think this is design intent. As long as the TACACS server is reachable local fallback will not be possible. Only if the TACACS server is actually down / fully blocked will local management authentications allow fallback to local accounts. Same for RADIUS - if the RADIUS server responds with Access-Reject / is reachable - fallback to local accounts will not work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-16-2022 12:52 PM
Correct Robert.
The idea is to get authenticated by TACACS or NAC, then every network manager has his personal log-in and access level.
The local account(s) should have a difficult to remember log-in that is kept in a safe place.
When the login of a TACACS/NAC users is known by others, the login can easily be changed or blocked in the TACACS/NAC.
When the same happens with the local log-in then you must change log-in on ALL devices, when it are few it is doable but when it are hundreds ... .
hope it helps
WillyHe
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-17-2022 05:40 AM
thx all
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-16-2022 12:52 PM
Correct Robert.
The idea is to get authenticated by TACACS or NAC, then every network manager has his personal log-in and access level.
The local account(s) should have a difficult to remember log-in that is kept in a safe place.
When the login of a TACACS/NAC users is known by others, the login can easily be changed or blocked in the TACACS/NAC.
When the same happens with the local log-in then you must change log-in on ALL devices, when it are few it is doable but when it are hundreds ... .
hope it helps
WillyHe
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-16-2022 05:40 AM
Not a switch expert.
However I think this is design intent. As long as the TACACS server is reachable local fallback will not be possible. Only if the TACACS server is actually down / fully blocked will local management authentications allow fallback to local accounts. Same for RADIUS - if the RADIUS server responds with Access-Reject / is reachable - fallback to local accounts will not work.
