AAA allowing local authentication with TACACS+ configured.

I was under the impression:

aaa authentication login default group tacacs+ local

Means TACACS+ is up and happy, use that. If TACACS+ returns ERROR, use
local credentials. This is good.

However, I figures this also meant deny local authentication if TACACS+
is up and functioning. But I can still login using local credentials
even when TACACS+ is up and functioning. Is there a way I can disable
this?

Thanks-

Mike

 

If authentication fails against the TACACS database no futher AAA
method should be used. If it is being used then it is a bug.

"A FAIL response is significantly different from an ERROR. A FAIL means
that the user has not met the criteria contained in the applicable
authentication database to be successfully authenticated.
Authentication ends with a FAIL response. An ERROR means that the
security server has not responded to an authentication query. Because
of this, no authentication has been attempted. Only when an ERROR is
detected will AAA select the next authentication method defined in the
authentication method list."

 

Turns out for some reason, although it succesfully logging in users,
FAILs were timing when communicating with ACS. I noticed this by
turning tacacs debugging on.


Bumping the time-out value to 10 seconds took care of it. Our ACS
servers may need a good kick.

However, couldn't this be used for a timing attack to harvest accounts?