https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216541#M592759 <P>As I see you don't use server-private command under group?</P> <P>Check config I share above&nbsp;</P> <P>MHM</P> Tue, 29 Oct 2024 04:52:02 GMT MHM Cisco World 2024-10-29T04:52:02Z https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216452#M592749 <P>Hello All,&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp;Kindly I need to help to configure TACACS+ (ISE) on a catalyst switch&nbsp; 9500. The 9500 has 2 vrfs and in the aaa group I specified the vrf and the source-interface.&nbsp;</P><P>&nbsp; &nbsp; I could successfully login to the switch but can not run any command. it gives me "Authorization Failed" and in ISE the logs show that the command was authorized successfully.&nbsp;</P><P>&nbsp;</P><P>Any suggestions would be helpful.&nbsp;</P><P>Thank you,&nbsp;</P><P>&nbsp;&nbsp;</P> Mon, 28 Oct 2024 20:51:21 GMT https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216452#M592749 hadeelOth81 2024-10-28T20:51:21Z https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216454#M592750 <P class="summary_indent"><SPAN><SPAN class="synph"><SPAN class="kwd">aaa</SPAN>&nbsp;<SPAN class="kwd">group</SPAN>&nbsp;<SPAN class="kwd">server</SPAN>&nbsp;<SPAN class="kwd">tacacs+</SPAN>&nbsp;</SPAN><EM>group-name</EM></SPAN></P> <P class="summary_indent"><SPAN><SPAN class="synph"><SPAN class="kwd">server-private</SPAN>&nbsp;</SPAN>{<SPAN class="synph"><SPAN class="var">ip-address</SPAN></SPAN>&nbsp;|&nbsp;<SPAN class="synph"><SPAN class="var">name</SPAN></SPAN>} [<SPAN class="synph"><SPAN class="kwd">nat</SPAN></SPAN>] [<SPAN class="synph"><SPAN class="kwd">single-connection</SPAN></SPAN>] [<SPAN class="synph"><SPAN class="kwd">port</SPAN></SPAN>&nbsp;<SPAN class="synph"><SPAN class="var">port-number</SPAN>] [<SPAN class="kwd">timeout</SPAN>&nbsp;<SPAN class="var">seconds</SPAN>] [<SPAN class="kwd">key</SPAN>&nbsp;[<SPAN class="kwd">0</SPAN>&nbsp;|&nbsp;<SPAN class="kwd">7</SPAN>]<SPAN class="var">&nbsp;string</SPAN>]<BR /></SPAN></SPAN></P> <P class="summary_indent"><SPAN>&nbsp;</SPAN><SPAN><SPAN class="synph"><SPAN class="kwd">ip</SPAN>&nbsp;<SPAN class="kwd">vrf</SPAN>&nbsp;<SPAN class="kwd">forwarding</SPAN>&nbsp;</SPAN><SPAN class="synph"><SPAN class="var">vrf-name</SPAN></SPAN></SPAN></P> <P class="summary_indent"><SPAN>&nbsp;</SPAN><SPAN><SPAN class="synph"><SPAN class="kwd">ip</SPAN>&nbsp;<SPAN class="kwd">tacacs</SPAN>&nbsp;<SPAN class="kwd">source-interface</SPAN></SPAN></SPAN></P> <P class="summary_indent"><SPAN><SPAN class="synph"><SPAN class="kwd">Do config as above&nbsp;</SPAN></SPAN></SPAN></P> <P class="summary_indent"><SPAN><SPAN class="synph"><SPAN class="kwd">MHM</SPAN></SPAN></SPAN></P> <P><LI-WRAPPER></LI-WRAPPER></P> Mon, 28 Oct 2024 20:54:17 GMT https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216454#M592750 MHM Cisco World 2024-10-28T20:54:17Z https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216459#M592751 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>&nbsp;,&nbsp;</P><P>&nbsp; &nbsp;Unfortunately, it did not work. Still facing authorization failed.&nbsp;</P><P>Thanks,&nbsp;</P><P>&nbsp;</P> Mon, 28 Oct 2024 21:07:37 GMT https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216459#M592751 hadeelOth81 2024-10-28T21:07:37Z https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216461#M592752 <P>Can I see the full config&nbsp;</P> <P>MHM</P> Mon, 28 Oct 2024 21:12:57 GMT https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216461#M592752 MHM Cisco World 2024-10-28T21:12:57Z https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216466#M592753 <P>Hi,</P> <P>&nbsp; &nbsp;Please share complete AAA config, as well as VTY lines and console config, as well as print-screen with ISE TACACS log message.</P> <P>Best,</P> <P>Cristian.</P> Mon, 28 Oct 2024 21:26:00 GMT https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216466#M592753 Cristian Matei 2024-10-28T21:26:00Z https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216514#M592756 <P>Here is the configuration&nbsp;</P><P>&nbsp;</P><P>switch1#sh run | sec aaa<BR />aaa new-model<BR />aaa local authentication attempts max-fail 10<BR />aaa group server tacacs+ (Group-Name)<BR />server name ise-name1<BR />server name ise-name2<BR />ip vrf forwarding vrf-name<BR />ip tacacs source-interface Loopback0<BR />aaa authentication login default group Group_Name local<BR />aaa authentication login synchronization none<BR />aaa authorization config-commands<BR />aaa authorization exec default group Group_Name if-authenticated<BR />aaa authorization commands 0 default group tacacs+ local<BR />aaa authorization commands 1 default group tacacs+ local<BR />aaa authorization commands 15 default group tacacs+ local<BR />aaa accounting update newinfo<BR />aaa accounting exec default start-stop broadcast group Group-Name<BR />aaa accounting commands 1 default start-stop broadcast group Group-Name<BR />aaa accounting commands 15 default start-stop broadcast group Group-Name<BR />aaa session-id common</P><P><BR />tacacs server ise-name1<BR />address ipv4 IP<BR />key 7 Key</P><P>tacacs server ise-name2<BR />address ipv4 IP<BR />key 7 Key</P><P>Thank you,&nbsp;</P><P>&nbsp;</P> Tue, 29 Oct 2024 02:50:03 GMT https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216514#M592756 hadeelOth81 2024-10-29T02:50:03Z https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216541#M592759 <P>As I see you don't use server-private command under group?</P> <P>Check config I share above&nbsp;</P> <P>MHM</P> Tue, 29 Oct 2024 04:52:02 GMT https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216541#M592759 MHM Cisco World 2024-10-29T04:52:02Z https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216695#M592770 <P>Hi,</P> <P>&nbsp; &nbsp;Command authorization fails as within your config you're referencing globally configured TACACS servers which don't exist, your configuration uses aaa group settings. Perform following changes and it will work:</P> <LI-CODE lang="markup">no aaa authorization commands 0 default group tacacs+ local no aaa authorization commands 1 default group tacacs+ local no aaa authorization commands 15 default group tacacs+ local ! aaa authorization commands 0 default group Group_Name local aaa authorization commands 1 default group Group_Name local aaa authorization commands 15 default group Group_Name local</LI-CODE> <P>Best,</P> <P>Cristian.&nbsp;</P> Tue, 29 Oct 2024 10:43:14 GMT https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216695#M592770 Cristian Matei 2024-10-29T10:43:14Z https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216865#M592781 <P>Thank you&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/295226">@Cristian Matei</a>&nbsp;. It solved the issue.&nbsp;</P> Tue, 29 Oct 2024 14:53:00 GMT https://community.cisco.com/t5/network-access-control/tacacs-ise-configuration-on-a-catalyst-9500-with-multiple-vrfs/m-p/5216865#M592781 hadeelOth81 2024-10-29T14:53:00Z