Scenario:
When a user logs into a switch locally (off network) with local credentials, and then reconnects the switch to the network, the switch isn’t forcing the user to login via TACACS credentials. It still allows the local user to run commands. It is the same switch TACACS configuration we were using with ACS.
Switch TACACS config:
aaa new-model
tacacs server CPPM-1
address ipv4 1.1.1.1
key 7 xxyyzz
tacacs server CPPM-2
address ipv4 2.2.2.2
key 7 xxyyzz
aaa authentication login default group CPPM-Servers local
aaa authentication enable default group CPPM-Servers enable
aaa authorization exec default group CPPM-Servers if-authenticated
aaa authorization config-commands
aaa authorization commands 1 default group CPPM-Servers if-authenticated
aaa authorization commands 15 default group CPPM-Servers if-authenticated
aaa accounting exec default start-stop group CPPM-Servers
aaa accounting commands 1 default start-stop group CPPM-Servers
aaa accounting commands 15 default start-stop group CPPM-Servers
aaa accounting update periodic 5
no tacacs-server directed-request
ip tacacs source-interface Loopback0
aaa group server tacacs+ CPPM-Servers
server name CPPM-1
server name CPPM-2