Hi all,
We are trying to migrate our Avaya 4850GTS-PWR+ switches to our existing Global TACACS+ authentication platform but we are running into difficulties because the Avaya's refuse to do local authentication when the TAC+ servers become unreachable.
They output an error that the global authentication servers are unreachable and continue to prompt for username/password endlessly.
According to the Avaya documentation, this is what is supposed to happen:
"You can configure two TACACS+ servers, a primary server and a secondary server. If all servers are not reachable (no answers) then local authentication is done."
I know that this used to be an issue with RADIUS authentication until the "radius-server password fallback" command was added in later releases.
Are we missing something? Is there a way for us to set a TACACS server timeout value and then force local user/password authentication? The implementation is pretty useless if it cannot fallback to local authentication in the event of a network/TAC+ server outage.
Our configuration is pretty basic:
tacacs server host x.x.x.x key
tacacs authorization enable
tacacs authorization level all
tacacs accounting enable
cli password switch telnet tacacs
The 4850 switches are running FW 5.8.0.1 / SW v5.8.0.005
Many thanks in advance,
Mike
We are trying to migrate our Avaya 4850GTS-PWR+ switches to our existing Global TACACS+ authentication platform but we are running into difficulties because the Avaya's refuse to do local authentication when the TAC+ servers become unreachable.
They output an error that the global authentication servers are unreachable and continue to prompt for username/password endlessly.
According to the Avaya documentation, this is what is supposed to happen:
"You can configure two TACACS+ servers, a primary server and a secondary server. If all servers are not reachable (no answers) then local authentication is done."
I know that this used to be an issue with RADIUS authentication until the "radius-server password fallback" command was added in later releases.
Are we missing something? Is there a way for us to set a TACACS server timeout value and then force local user/password authentication? The implementation is pretty useless if it cannot fallback to local authentication in the event of a network/TAC+ server outage.
Our configuration is pretty basic:
tacacs server host x.x.x.x key
tacacs authorization enable
tacacs authorization level all
tacacs accounting enable
cli password switch telnet tacacs
The 4850 switches are running FW 5.8.0.1 / SW v5.8.0.005
Many thanks in advance,
Mike