Wired

last person joined: 16 minutes ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

ArubaOS-Switch TACACS/Local Creds

This thread has been viewed 3 times
  • 1.  ArubaOS-Switch TACACS/Local Creds

    Posted Sep 11, 2018 11:48 AM

    I'm trying to configure SSH and console authentication on a 3810/2930 that will allow both TACACS (Cisco) and local switch creds for authorized users to login to the switch. I have been successful at allowing one of the methods at a time, but I haven't been able to allow both at the same time, namely not being able to use local creds when the TACACS server is available. Is it possible to allow both? Here are the commands I've used:

    aaa accounting exec start-stop tacacs
    aaa authentication login privilege-mode
    aaa authentication console login tacacs local
    aaa authentication console enable tacacs local
    aaa authentication ssh login tacacs local

    aaa authentication ssh enable tacacs local

    I'm sitll fairly new to ArubaOS-Switch and would appreciate any help you can provide.


    #3810


  • 2.  RE: ArubaOS-Switch TACACS/Local Creds

    Posted Sep 12, 2018 11:12 AM

    Hi SubnetZero,

     

    the secondary parameter is for fall back, when the tacacs server is not available. This means that when the Tacacs server is available it will use the Tacacs server for aaa, and not the local database. If connectivity with the Tacacs server fails, the authentication mechanism falls back to the local user database.

     

    Hope this helps,

     

    Dik

     



  • 3.  RE: ArubaOS-Switch TACACS/Local Creds

    Posted Sep 12, 2018 11:25 AM

    No planned to have fallback option ? (like ArubaCX) to also enable local account ?



  • 4.  RE: ArubaOS-Switch TACACS/Local Creds

    Posted Sep 12, 2018 12:04 PM

    AFAIK no plans, but I am pretty sure that a feature request can be raised and if there is a good justification, the feature can be built.



  • 5.  RE: ArubaOS-Switch TACACS/Local Creds

    Posted Sep 12, 2018 12:39 PM

    @networkingdvo wrote:

    AFAIK no plans, but I am pretty sure that a feature request can be raised and if there is a good justification, the feature can be built.


    for API ? (it is not supported with RADIUS web authentication...)

    and also add TACACS for Web authentication..



  • 6.  RE: ArubaOS-Switch TACACS/Local Creds

    Posted Sep 19, 2018 09:11 AM

    networkingdvo,

    Thank you for that clarification. That was the way I read it in the documentation, but was hoping I was wrong. I think we have another option though and can make that work.

    JK