I'm trying to configure SSH and console authentication on a 3810/2930 that will allow both TACACS (Cisco) and local switch creds for authorized users to login to the switch. I have been successful at allowing one of the methods at a time, but I haven't been able to allow both at the same time, namely not being able to use local creds when the TACACS server is available. Is it possible to allow both? Here are the commands I've used:
aaa accounting exec start-stop tacacsaaa authentication login privilege-modeaaa authentication console login tacacs localaaa authentication console enable tacacs localaaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local
I'm sitll fairly new to ArubaOS-Switch and would appreciate any help you can provide.
the secondary parameter is for fall back, when the tacacs server is not available. This means that when the Tacacs server is available it will use the Tacacs server for aaa, and not the local database. If connectivity with the Tacacs server fails, the authentication mechanism falls back to the local user database.
Hope this helps,
No planned to have fallback option ? (like ArubaCX) to also enable local account ?
AFAIK no plans, but I am pretty sure that a feature request can be raised and if there is a good justification, the feature can be built.
@networkingdvo wrote:AFAIK no plans, but I am pretty sure that a feature request can be raised and if there is a good justification, the feature can be built.
for API ? (it is not supported with RADIUS web authentication...)
and also add TACACS for Web authentication..
Thank you for that clarification. That was the way I read it in the documentation, but was hoping I was wrong. I think we have another option though and can make that work.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.