Purpose
Command or Action
switch#
copy running-config startup-config
Disabling Fallback to Local Authentication
By default, if remote authentication is configured for console or default login and all AAA servers are
unreachable (resulting in an authentication error), the Cisco NX-OS device falls back to local authentication
to ensure that users are not locked out of the device. However, you can disable fallback to local authentication
in order to increase security.
Disabling fallback to local authentication can lock your Cisco NX-OS device, forcing you to perform a
password recovery in order to gain access. To prevent being locked out of the device, we recommend that
you disable fallback to local authentication for only the default login or the console login, not both.
Caution
Before you begin
Configure remote authentication for the console or default login.
SUMMARY STEPS
1.
configure terminal
2.
no aaa authentication login
{
console
|
default
}
fallback error local
3.
(Optional)
exit
4.
(Optional)
show aaa authentication
5.
(Optional)
copy running-config startup-config
DETAILED STEPS
Purpose
Command or Action
Enters configuration mode.
configure terminal
Example:
Step 1
switch#
configure terminal
switch(config)#
Disables fallback to local authentication for the console or
default login if remote authentication is configured and all
AAA servers are unreachable.
no aaa authentication login
{
console
|
default
}
fallback
error local
Example:
Step 2
The following message appears when you disable fallback
to local authentication:
switch(config)#
no aaa authentication login console
fallback error local
“WARNING!!! Disabling fallback can lock your switch.”
Exits configuration mode.
(Optional)
exit
Example:
Step 3
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
19
Configuring AAA
Disabling Fallback to Local Authentication