Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1077
Views
5
Helpful
3
Replies

aaa authentication tacacs authentication intermittent work for cisco switch

Go to solution
Pawan Raut
Level 4
Level 4

‎10-08-2018 10:12 PM

aaa authentication tacacs authentication intermittent work for cisco switch. When we capture log on ISE we dont get any logs when aaa tacacs authentication get failed.

 

Model Number : WS-C3850-48P

Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.03.SE RELEASE SOFTWARE (fc2)

Switch aaa configuration as below

aaa group server tacacs+
server-private <ISE1> timeout 2 key <Password>
server-private <ISE2> timeout 2 key <Password>
server-private <ISE3> timeout 2 key <Password>
server-private <ISE4> timeout 2 key <Password>
ip tacacs source-interface Loopback0
aaa authentication login default group ISE-Group local
aaa authentication login console local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ISE-Group local if-authenticated
aaa authorization exec console local if-authenticated
aaa authorization commands 1 default group ISE-Group local if-authenticated
aaa authorization commands 2 default local if-authenticated
aaa authorization commands 15 default group ISE-Group local if-authenticated
aaa accounting commands 1 default start-stop group ISE-Group
aaa accounting commands 1 console start-stop group ISE-Group
aaa accounting commands 2 default start-stop group ISE-Group
aaa accounting commands 15 default start-stop group ISE-Group
aaa accounting commands 15 console start-stop group ISE-Group
aaa session-id common

 

Any lead will help

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aravind Ravichandran
Level 3
Level 3

‎10-09-2018 01:18 AM

Hi,

From the configuration i can see aaa group server tacacs+ ISE-Group is missing.

Please refer this document & cross check the configuration

https://community.cisco.com/t5/security-documents/how-to-ise-tacacs-configuration-for-ios-network-devices/ta-p/3631080

-Aravind

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Aravind Ravichandran
Level 3
Level 3

‎10-09-2018 01:18 AM

Hi,

From the configuration i can see aaa group server tacacs+ ISE-Group is missing.

Please refer this document & cross check the configuration

https://community.cisco.com/t5/security-documents/how-to-ise-tacacs-configuration-for-ios-network-devices/ta-p/3631080

-Aravind
0 Helpful

Go to solution
Pawan Raut
Level 4
Level 4
In response to Aravind Ravichandran

‎10-09-2018 02:03 AM

that was copy paste error but its not missed in actual device configuration.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Pawan Raut

‎10-09-2018 05:38 AM

If you have a large volume of TACACS transactions happening you may be timing out periodically due to the large number of TCP connections.  This has happened to me before.  Enable single connect mode on all your TACACS devices and see if that helps.  You also need to enable legacy single connect under the network devices in ISE as well.

Customers Also Viewed These Support Documents