topic Hi the command aaa in Network Access Control

I am unable to login to the switch using TACACS+ login after adding aaa authorization network command

Nisha Prabath — Mon, 11 Mar 2019 05:04:42 GMT

I am testing a switch for aaa authentication when it is not communicating to ISE, and i found a strange behavior. After i added the aaa authentication accounting and authorization commands and reloaded the switch i was not able to login to the switch with the TACACS login

The switch kept going in cycles showing the banner and then giving the authentication failed message 3 times and the cycle starts with the banner and authentication failed message

i removed the command aaa authorization network command and i was reloaded the switch and i was able to login successfully.

could someone help me with this problem.

Please attach your switch

nspasov — Thu, 02 Oct 2014 00:05:53 GMT

Please attach your switch config. If you cannot attach the whole config then please post your:

1. AAA configurations

2. Line (AUX, Console) configurations

Thank you for rating helpful posts!

I have pasted the AAA

Nisha Prabath — Thu, 02 Oct 2014 13:30:38 GMT

I have pasted the AAA configuration and the line configuation for your reference.

aaa group server radius ISE-PSN-DOT1X
server name TCI-ISE01
server name TCI-ISE02
!
aaa authentication login default group tacacs+ local
aaa authentication dot1x default group ISE-PSN-DOT1X
aaa authorization network default group ISE-PSN-DOT1X
aaa authorization network auth-list group ISE-PSN-DOT1X
aaa authorization auth-proxy default group ISE-PSN-DOT1X
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ISE-PSN-DOT1X
aaa accounting dot1x default start-stop group ISE-PSN-DOT1X
aaa accounting system default start-stop group ISE-PSN-DOT1X

line con 0
line vty 0 4
password 7
length 0
transport input telnet
line vty 5 15
transport input telnet

Thanks! Also, can you post

nspasov — Thu, 02 Oct 2014 16:20:21 GMT

Thanks! Also, can you post the "aaa authorization" command that breaks the process? The "aaa authentication" commands look ok.

AAA authorization commands

Nisha Prabath — Thu, 02 Oct 2014 17:15:32 GMT

AAA authorization commands:

aaa authorization network default group ISE-PSN-DOT1X
aaa authorization network auth-list group ISE-PSN-DOT1X

After i removed the command 'aaa authorization network auth-list group ISE-PSN-DOT1X' from the switch and reloaded it, i was able to login successfully.

Hmm, those commands are

nspasov — Thu, 02 Oct 2014 17:46:19 GMT

Hmm, those commands are related to network access and not associated with the authorization of your local device. I just tested the syntax in my lab and had no issues with it. So:

1. What version of code are you running on the network device?

2. What are you returning in the authorization profile in ISE?

This switch is not talking to

Nisha Prabath — Thu, 02 Oct 2014 18:14:57 GMT

This switch is not talking to the ISE. this is more of a fail-over test environment where ISE is not available

SW Version
------ ----- -----
15.0(2)SE4

I am guessing that it is a

nspasov — Thu, 02 Oct 2014 19:00:23 GMT

I am guessing that it is a bug with that version of code...In my lab I am running 15.1.x code and have no issues.

Thank you for rating helpful posts!

Oh ok.thank you for the help

Nisha Prabath — Thu, 02 Oct 2014 19:53:15 GMT

Oh ok.

thank you for the help and support.

No problem! Please come back

nspasov — Thu, 02 Oct 2014 20:43:36 GMT

No problem! Please come back and let us know if a code upgrade resolves your issue!

Thank you for rating helpful posts!

Sure, will let you know once

Nisha Prabath — Thu, 02 Oct 2014 21:22:58 GMT

Sure, will let you know once my issue gets resolved.

Thank you so much for the support!

Hi the command aaa

saxenanitesh8522 — Mon, 06 Oct 2014 06:44:45 GMT

the command aaa authorization network default group ISE-PSN-DOT1X

points to radius it should been pointed to tacacs or removed if authorization is not required.

it is not a bug issue.

Thanks

Hi Nitesh-That command (aaa

nspasov — Mon, 06 Oct 2014 06:53:21 GMT

Hi Nitesh-

That command (aaa authorization network...) has nothing to do with admin based authorization on the NAD (in this situation the switch). That command applies to network connections such as PPP, SLIP,, etc.

In addition, aaa authorization can be performed by Radius and not only TACACS+. Radius is not as powerful and you cannot provide authorization command sets but you can still return different privilege levels and roles.

Did you test the above configuration syntax? I did and it is working as expected!

Thank you for rating helpful posts!

Hi Neno,Yes you are correct.

Nisha Prabath — Mon, 06 Oct 2014 13:55:07 GMT

Hi Neno,

Yes you are correct. i was able to login to switch but it took a while to show the username and password prompt.

Thank you for the support.

Thank you for confirming this

nspasov — Mon, 06 Oct 2014 16:11:22 GMT

Thank you for confirming this Nisha and also thank you for the rating! I think the delay with the username/password showing is due to the switch trying to connect to your TACACS+ server. After that fails/timeouts then the username password shows up.