Building network automation solutions

9 module online course

Start now!

Identifying TACACS+ failure

I've got an interesting question from Colin a while ago:

I would like to generate a different prompt during the login to the router if the TACACS+ server has failed, indicating to the network operators that they have to log-in with the special (local) username, not with the TACACS+ authenticated username/password.

Fortunately he was running TACACS+ which supplies its own prompts during the authentication phase (the solution would not work with RADIUS). If you change the local authentication prompts, you'll get the prompts from TACACS+ server if it's reachable from the router (the AAA authentication is performed via TACACS+ server) and the local prompts if the TACACS+ server has failed (the AAA authentication is performed via any other mechanism). Here's a sample configuration:

aaa new-model
aaa authentication login REMOTE group tacacs+ local
aaa authentication fail-message #
Local authentication failed.
aaa authentication password-prompt "Enter local password:"
aaa authentication username-prompt "Enter local username:"
user a secret b
line vty 0 4
login authentication REMOTE

We migrated our blog a few days ago, and the commenting functionality is not there yet. In the meantime enjoy the older comments, or find our content on LinkedIn and comment there.


  1. what is advantage of using this. This can be done with the local username and password also which is also binded with the aaa.

  2. This solution works great when using telnet. Is there any chance to get this working with ssh?

  3. @shivlu: if you deploy AAA servers, you might still want to have local usernames/passwords in case the connectivity to the AAA servers is broken and you'd like to get into the router.

    If you decide you want to have local usernames, it helps if the operator knows whether he's expected to type the local username or the server-checked username.

    @moik: no-go. SSH does not pass authentication prompts between the server and the client (all prompting is done locally in the client).

  4. Hi, Ivan!

    I'm find interesting issue with ssh connection to the router. I hvae simple configuration, like that:

    no aaa new-model
    username admin privelege 15 password 12345

    ip ssh version 2

    line vty 0 15
    login local
    trasport input ssh telnet

    If I connect to the router via telnet - I get privilege level 15. But, if i connect via ssh - I should input enable password. Why, when I use ssh - i should enter enable password? I checked it on IOS SRB2.

  5. @shef: according to Cisco documentation, SSH only works with AAA ... but you've obviously found a workaround: if AAA is not enabled, it uses enable password.

  6. Hi Shef:

    If you really want to do this using SSH but without a TACACS server, you can enable AAA to use the local database to allow a privledge level 15 user to drop straight into the enable mode after successful authentication. However, I would not recommend using telnet at all if SSH is available on the device. With that said, the config below works for both telnet and SSH.

    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    username test privilege 15 secret your-password
    ip ssh version 2
    line vty 0 15
    transport input ssh telnet

  7. Is it possible to achieve this in reverse. Instead of re-configuring thousands of my devices, can I get Cisco ACS to change the prompt on the router when the TACACS is available? If not the prompts, then insert a banner?

  8. @Steve: in principle, it's possible (the technology definitely allows it), but I wouldn't know how to change prompts on Cisco ACS.

  9. Hi,
    I think I am asking a very simple question but then how do we enable CLI interface on Cisco ACS software? Would be thankful if you would reply.

  10. I've asked uncle Google the same question (Cisco ACS CLI) and got this answer.

  11. I am trying to get ACS 4.2 for windows to automatically put users in lev 15 priv (enable mode) after they login. I have done everything cisco says and yet, no matter what, users login with their AD credentials and ACS authenticates and puts users in "user mode" . then the user has to manually enter the enable secret still. I want to eliminate the manually typing the enable password in. I also dont want ALL users to be lev 15 priv so the setup will need to be done in ACS and not the router/switch config.