TACACS service on ClearPass
01-08-2019 01:01 PM
Customer using ClearPass with Cisco switches had the following question.
" For the tacacs service in ClearPass, when there is no service match, our Cisco devices do not fallback to local authentication, because the tacacs server is still running and replying back to the device it appears. Is there a way to circumvent this in the event that there is no service match and to simply not respond? "
To my understanding till ClearPass is alive switch will not fallback to local authentication.
Posting this question to confirm if there was a way around to customers ask.
Thanks in advance,
Re: TACACS service on ClearPass
01-08-2019 05:59 PM
This is how Cisco IOS works unfortunately. There is nothing much you can do on ClearPass for this issue. As far as TACACS server is reachable, Cisco IOS will not fallback to local authentication. As a workaround, can you try putting local auth ahead of TACACS:
aaa authentication login default local group tacacs+
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.