topic Re: Tacacs Configuration on the Switch in Network Access Control

Tacacs Configuration on the Switch

Faresnani — Mon, 19 Feb 2024 07:18:45 GMT

Dear Community,

We are currently encountering a challenge in accessing the switch command-line interface (CLI) using user credentials from the Active Directory when the connection between the switch and the TACACS server is unavailable (Cisco ISE). The error message indicates that the switch cannot establish communication with the Cisco ISE. We seek guidance on configuring the scenario wherein, in the event of TACACS being unreachable, the switch automatically checks for the existence of local usernames accessing through Console or SSH

like sequence checking first from TACACS then the Local database on the switch

Below is our configuration on the switch

==================================================================

aaa new-model
!
!
aaa authentication login default group ISE local
aaa authentication login console group ISE local
aaa authorization config-commands default group ISE local
aaa authorization commands default group ISE local
aaa accounting default group ISE local
aaa authentication login error-enable
tacacs-server directed-request

tacacs-server key 7 "*********"
tacacs-server host x.x.x.x key 7 "*******"
aaa group server tacacs+ ISE
server x.x.x.x

============================================================

Regards

Omran Mohamed

Re: Tacacs Configuration on the Switch

MHM Cisco World — Mon, 19 Feb 2024 07:27:21 GMT

""If tacacs not send privilege with access-accept""

The local user and user in AD will auth and access to 1-level 1 from there you need enable password to access te level 15.

So you need enable password

MHM

Re: Tacacs Configuration on the Switch

MHM Cisco World — Mon, 19 Feb 2024 07:34:01 GMT

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html

In example 2 of this guide

Which you config same (you add tacacs)

aaa authentication login console group ISE local

Here the console is method list and since it not defualt you need to add this list under console. Correct me if I am wrong.

For more info check example 2 in link I share

Thanks

MHM

Re: Tacacs Configuration on the Switch

balaji.bandi — Mon, 19 Feb 2024 07:36:10 GMT

Depends on the model of the Switch IOS code running - I use all the time below config on IOS XE and works as expected, when there is no ISE reachability :

username cisco privilege 15 secret 5 cisco

aaa new-model

tacacs server ISE1

address ipv4 192.100.1.1

key Mykey

tacacs server ISE2

address ipv4 192.200.1.1

key MyKey

ip tacacs source-interface Loopback0

aaa group server tacacs+ ISE_GRP

server name ISE1

server name ISE2

aaa authentication login default group ISE_GRP local

aaa authorization config-commands

aaa authorization exec default group ISE_GRP local

aaa authorization commands 0 default group ISE_GRP local

aaa authorization commands 1 default group ISE_GRP local

aaa authorization commands 15 default group ISE_GRP local

aaa accounting exec default start-stop group ISE_GRP

aaa accounting commands 0 default start-stop group ISE_GRP

aaa accounting commands 1 default start-stop group ISE_GRP

aaa accounting commands 15 default start-stop group ISE_GRP