Wired Intelligent Edge

I'm trying to configure SSH and console authentication on a 3810/2930 that will allow both TACACS (Cisco) and local switch creds for authorized users to login to the switch. I have been successful at allowing one of the methods at a time, but I haven't been able to allow both at the same time, namely not being able to use local creds when the TACACS server is available. Is it possible to allow both? Here are the commands I've used:

aaa accounting exec start-stop tacacs
aaa authentication login privilege-mode
aaa authentication console login tacacs local
aaa authentication console enable tacacs local
aaa authentication ssh login tacacs local

aaa authentication ssh enable tacacs local

I'm sitll fairly new to ArubaOS-Switch and would appreciate any help you can provide.

Hi SubnetZero,

the secondary parameter is for fall back, when the tacacs server is not available. This means that when the Tacacs server is available it will use the Tacacs server for aaa, and not the local database. If connectivity with the Tacacs server fails, the authentication mechanism falls back to the local user database.

Hope this helps,

Dik

No planned to have fallback option ? (like ArubaCX) to also enable local account ?

AFAIK no plans, but I am pretty sure that a feature request can be raised and if there is a good justification, the feature can be built.

---

@networkingdvo wrote:

AFAIK no plans, but I am pretty sure that a feature request can be raised and if there is a good justification, the feature can be built.

---

for API ? (it is not supported with RADIUS web authentication...)

and also add TACACS for Web authentication..

networkingdvo,

Thank you for that clarification. That was the way I read it in the documentation, but was hoping I was wrong. I think we have another option though and can make that work.

JK