Disabling Fallback To Local Authentication - Cisco Nexus 9000 Series Configuration Manual

Configuring AAA
Command or Action
switch# copy running-config startup-config

Disabling Fallback to Local Authentication

By default, if remote authentication is configured for console or default login and all AAA servers are
unreachable (resulting in an authentication error), the Cisco NX-OS device falls back to local authentication
to ensure that users are not locked out of the device. However, you can disable fallback to local authentication
in order to increase security.
Caution Disabling fallback to local authentication can lock your Cisco NX-OS device, forcing you to perform a
password recovery in order to gain access. To prevent being locked out of the device, we recommend that
you disable fallback to local authentication for only the default login or the console login, not both.
Before you begin
Configure remote authentication for the console or default login.
SUMMARY STEPS
1. configure terminal
2. no aaa authentication login {console | default} fallback error local
3. (Optional) exit
4. (Optional) show aaa authentication
5. (Optional) copy running-config startup-config
DETAILED STEPS
Command or Action
Step 1
configure terminal
Example:
switch# configure terminal
switch(config)#
Step 2
no aaa authentication login {console | default} fallback
error local
Example:
switch(config)# no aaa authentication login console
fallback error local
Step 3 (Optional) exit
Example:
Purpose
Purpose
Enters configuration mode.
Disables fallback to local authentication for the console or
default login if remote authentication is configured and all
AAA servers are unreachable.
The following message appears when you disable fallback
to local authentication:
"WARNING!!! Disabling fallback can lock your switch."
Exits configuration mode.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Disabling Fallback to Local Authentication
19