Wired

last person joined: 22 hours ago 

Expand all | Collapse all

Aruba 6100 Running CX And TACACS

This thread has been viewed 14 times
  • 1.  Aruba 6100 Running CX And TACACS

    Posted May 04, 2021 09:18 AM
    I am having a problem with my TACACS config and need some help.

    I want to be able to login locally  on the console when the TACACS servers are unavailable but I am having problems

    My config is the following

    aaa authentication login console group TACACS local
    aaa authentication login ssh group TACACS local
    aaa authorization commands console group TACACS local
    aaa authorization commands ssh group TACACS local
    aaa accounting all-mgmt https-server start-stop group TACACS local
    aaa accounting all-mgmt ssh start-stop group TACACS local
    aaa accounting port-access start-stop group CLEARPASS


    I can login when the Tacacs servers are available but when I unplug the network I cannot login locally using my local account I created on the switch..

    Thanks

    ------------------------------
    stever robichaud
    ------------------------------


  • 2.  RE: Aruba 6100 Running CX And TACACS

    Posted May 04, 2021 03:27 PM

    Try and add this command and see if it makes any difference for you

    aaa authentication allow-fail-through



    ------------------------------
    Christopher Wickline
    ------------------------------



  • 3.  RE: Aruba 6100 Running CX And TACACS

    Posted May 05, 2021 09:29 AM
    Thanks for the response.
    Yes that worked, but I am a bit confused. On the website it states. I know in Cisco you just put local at the end.


    Note: If the databases for both the servers are identical, then there is no point in configuring 'allow-fail-through'.  It can even delay authentication time if "allow-fail-through" is checked and all servers point to the same database.

     



    ------------------------------
    stever
    ------------------------------



  • 4.  RE: Aruba 6100 Running CX And TACACS

    Posted May 05, 2021 09:46 AM

    So the link you probably found refers to AOS, which is used by the wireless controllers.

    I've found that in AOS-CX, you need that command in order to tell the switch to check the second configured option. (I'm not really sure why, since that seems backwards from how every other vendor/other Aruba products do it, but I've just accepted it and added it to my template)

    If you look in the AOS-CX security guide, you can find this little blurp


    Enables authentication fail-through. When this option is enabled, the next server/authentication method is tried after an authentication failure.
    The no form of this command disables authentication fail-through. If the system fails to authenticate with a reachable TACACS+ or RADIUS server, the system does not attempt to authenticate with the next TACACS+/RADIUS server.







    ------------------------------
    Christopher Wickline
    ------------------------------



  • 5.  RE: Aruba 6100 Running CX And TACACS

    Posted May 05, 2021 02:58 PM
    Thanks for the response. It has cleared up the confusion.


    ------------------------------
    stever
    ------------------------------