PDF(115.4 KB) View with Adobe Reader on a variety of devices
ePub(68.6 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(69.6 KB) View on Kindle device or Kindle app on multiple devices
Updated:September 21, 2016
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Configure these commands on the device in global configuration mode:
aaa new-model aaa authentication login default local group tacacs+
With just "aaa new model" configured, local authentication is applied to all lines and interfaces (except console line line con 0).
Here the AAA method list is applied on all login attempts on all lines of the device, where first local database is checked and then if required, Terminal Access Controller Access Control System (TACACS) server is tried.
You notice that it did not try to reach the TACACS server as username cisco was found locally.
Now, if you try to use a credential that is not configured locally on the box:
RUT#telnet 192.168.1.2 Trying 192.168.1.2 ... Open
User Access Verification
Username: *Jul 23 09:36:01.099: AAA/BIND(0000001F): Bind i/f *Jul 23 09:36:01.099: AAA/AUTHEN/LOGIN (0000001F): Pick method list 'default' Username: cisco1 *Jul 23 09:36:11.095: TPLUS: Queuing AAA Authentication request 31 for processing *Jul 23 09:36:11.095: TPLUS: processing authentication start request id 31 *Jul 23 09:36:11.095: TPLUS: Authentication start packet created for 31(cisco1) *Jul 23 09:36:11.095: TPLUS: Using server 10.20.220.141 *Jul 23 09:36:11.095: TPLUS(0000001F)/0/NB_WAIT/47A14C34: Started 5 sec timeout *Jul 23 09:36:16.095: TPLUS(0000001F)/0/NB_WAIT/47A14C34: timed out *Jul 23 09:36:16.095: TPLUS(0000001F)/0/NB_WAIT/47A14C34: timed out, clean up *Jul 23 09:36:16.095: TPLUS(0000001F)/0/47A14C34: Processing the reply packet % Authentication failed
You notice that it tries to reach the TACACS server 10.20.220.141. It is an expected default behavior. There is no username cisco1 configured on the TACACS server, hence shows Authentication failed.
If the device has AAA Authentication login default group tacacs+ local in the configuration, it's first preference is TACACS. If the TACACS is reachable, but no user has configured on it, it will not fallback and try to search in the local databasde. It will display% Authentication failed message.
There is currently no specific troubleshooting information available for this configuration.