Wired Intelligent Edge (Campus Switching and Routing)

Reply
Occasional Contributor II

ArubaOS-Switch TACACS/Local Creds

I'm trying to configure SSH and console authentication on a 3810/2930 that will allow both TACACS (Cisco) and local switch creds for authorized users to login to the switch. I have been successful at allowing one of the methods at a time, but I haven't been able to allow both at the same time, namely not being able to use local creds when the TACACS server is available. Is it possible to allow both? Here are the commands I've used:

aaa accounting exec start-stop tacacs
aaa authentication login privilege-mode
aaa authentication console login tacacs local
aaa authentication console enable tacacs local
aaa authentication ssh login tacacs local

aaa authentication ssh enable tacacs local

I'm sitll fairly new to ArubaOS-Switch and would appreciate any help you can provide.

Aruba Employee

Re: ArubaOS-Switch TACACS/Local Creds

Hi SubnetZero,

 

the secondary parameter is for fall back, when the tacacs server is not available. This means that when the Tacacs server is available it will use the Tacacs server for aaa, and not the local database. If connectivity with the Tacacs server fails, the authentication mechanism falls back to the local user database.

 

Hope this helps,

 

Dik

 

MVP Expert

Re: ArubaOS-Switch TACACS/Local Creds

No planned to have fallback option ? (like ArubaCX) to also enable local account ?




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
Aruba Employee

Re: ArubaOS-Switch TACACS/Local Creds

AFAIK no plans, but I am pretty sure that a feature request can be raised and if there is a good justification, the feature can be built.

MVP Expert

Re: ArubaOS-Switch TACACS/Local Creds


@networkingdvo wrote:

AFAIK no plans, but I am pretty sure that a feature request can be raised and if there is a good justification, the feature can be built.


for API ? (it is not supported with RADIUS web authentication...)

and also add TACACS for Web authentication..




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
Occasional Contributor II

Re: ArubaOS-Switch TACACS/Local Creds

networkingdvo,

Thank you for that clarification. That was the way I read it in the documentation, but was hoping I was wrong. I think we have another option though and can make that work.

JK

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: