This is a basic, working AAA TACACS+ configuration. Local fallback AAA is the local user cisco.
Line console uses local authentication unconditionally in below example. No matter if the TACACS server is running or not, local authentication only. The TACACS server group is called auth-server. The server auth-server contains 2 TACACS servers, host 10.255.255.1 and host 10.255.255.2.
configure
!
tacacs-server host 10.255.255.1 port 49
key 7 0055415509421F070C204F5D021C1C
timeout 1
!
tacacs-server host 10.255.255.2 port 49
key 7 135445410615102B28252B203E270A
timeout 1
!
username cisco
group root-lr
group cisco-support
secret 5 $1$xE2F$K9GxT/QI1eosQhXS6y/2D/
!
aaa group server tacacs+ auth-server
server 10.255.255.1
server 10.255.255.2
!
aaa authorization exec default none
aaa authentication login default group auth-server local
!
The XR AAA command: aaa authorization exec default none has the same effect as the IOS AAA command: aaa authorization exec default group auth-server if-authenticated. The configuration states that if a user is authenticated, that user is also authorized.
If the line console should use TACACS+ AAA first then fallback to local AAA, use following additional configuration:
configure
!
line console
login authentication default
!
commit
Short verification saves countless hours. Stop the TACACS+ daemon on both auth-servers, in shown example 10.255.255.1
, 10.255.255.2
and verify if fallback authentication really works. If it does, then you are good prepared for a central AAA outage.