topic Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS in Network Access Control

UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

ugwuugochukwukizito — Mon, 25 Jul 2022 14:27:31 GMT

Hello All, I configured AAA on a c9300-48P, but I can't seem to login to the switch using the AAA credentials.

Find the configuration below:

SW#sh run aaa

! aaa authentication login AAA group tacacs+ local

aaa authorization exec AAA group tacacs+ local

aaa accounting commands 15 AAA start-stop group tacacs+

! ! ! ! ! ! tacacs server ACS1

address ipv4 x.x.x.x

key ######

tacacs server ACS2

address ipv4 x.x.x.x

key ###### !

aaa new-model

aaa session-id common !

!!!!!!

Kindly assist

Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

MHM Cisco World — Mon, 25 Jul 2022 14:35:25 GMT

we need also the config of line vty
please share it here

Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

Rob Ingram — Mon, 25 Jul 2022 15:21:49 GMT

@ugwuugochukwukizito Do you see anything in the logs on the ACS/ISE?

Have you created a NAD in ACS of the switch IP address and entered the correct shared secret?

Is the TACACS request sourced from the correct IP address (the IP address defined on ACS)? If not specify the source interface on the switch.

You may be using ACS, but this ISE device administation guide has all the switch configuration commands, as you don't appear to have configured all the aaa commands. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

Arne Bier — Tue, 26 Jul 2022 01:32:30 GMT

It appears you're using a method list in your aaa commands - as MHM mentioned, we need to see the output of

show run | sec line

to see if/how you have implemented the method list correctly.

If you didn't intentionally want this, then replace the AAA with 'default'

aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+

Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

ugwuugochukwukizito — Tue, 26 Jul 2022 09:34:21 GMT

Hello there,

This is the line vty output:

line vty 0 4
authorization exec AAA
accounting commands 15 AAA
login authentication AAA
transport input ssh
transport output ssh
line vty 5 98
authorization exec AAA
accounting commands 15 AAA
login authentication AAA
transport input ssh
transport output ssh

Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

Arne Bier — Tue, 26 Jul 2022 20:36:10 GMT

The line vty looks correct. What do you see on the TACACS+ server? Any errors? Have you also run some commands to test the comms from switch to TACACS+ server etc.?

show tacacs ping <ip_of_tacacs_servers> debug tacacs authentication debug tacacs authorization

Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

MHM Cisco World — Tue, 26 Jul 2022 21:20:27 GMT

ip tacacs source-interface interface-name [vrf vrf-name]

only select the source of Packet from your SW to AAA server

Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

ugwuugochukwukizito — Wed, 27 Jul 2022 15:29:37 GMT

Hello there, I'm a bit confused with the command

Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

MHM Cisco World — Wed, 27 Jul 2022 15:30:47 GMT

what are you confuse about?

Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

ugwuugochukwukizito — Wed, 27 Jul 2022 15:32:33 GMT

Hello Arne,

Yes I can ping the tacacs server from the switch.

I've attached the debug authentication output.

I can't seem to make anything out of it.

Kindly assist.

Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

MHM Cisco World — Wed, 27 Jul 2022 16:30:28 GMT

https://community.cisco.com/t5/network-access-control/tacacs-authentication-not-working/td-p/2776891

same issue and one solution config the Interface that use as source of packet from SW to AAA server.

Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

Arne Bier — Wed, 27 Jul 2022 20:17:31 GMT

OK - now that we have some basic troubleshooting under way, let's continue with some more. The switch can ping the TACACS server. In your original post you mentioned ACS1 and ACS2 - I assume the TACACS servers are Cisco ACS servers?

Have you added the switch into the ACS server's Network Devices config?

TACACS uses TCP as a transport - the debug you attached might indicate that the peer device (ACS) reset the TCP connection because the switch has not been defined as a client in ACS. Or, it might be that there is a firewal in the way and it's allowing ICMP (ping) but not TCP/49 (TACACS protocol).

Does your switch have any VRF definitions? If yes, then as MHM rightly said early on, you must ensure that the IOS TACACS configuration is made "vrf aware" - ensure that the correct VRF is mentioned in any TACACS config, and also the correct Source Interface is specified - the same interface IP address that you used when you added the client into ACS.

And then there is the ACS configuration.

How about an output of the command

show tacacs

Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

ugwuugochukwukizito — Wed, 03 Aug 2022 21:06:10 GMT

Many thanks @MHM Cisco World , @Arne Bier , @Rob Ingram for your help.

I added the config ip tacacs source-interface (vlan id) and the issue was resolved.

Thanks everyone

Re: UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

MHM Cisco World — Wed, 03 Aug 2022 21:15:59 GMT

Your are so so welcome