cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2885
Views
15
Helpful
9
Replies
Highlighted
Beginner

AAA Configuration on c9300

I have a stack of C9300 switches. I am trying to configure tacacs+ authentication. I read the documentation, and I'm getting no where .

 

Please post an example of aaa configuration, using a group of tacacs servers.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

The command tacacs server server-name has been depreciated. The new command structure is:

aaa group server tacacs+ <Name>
 server x.x.x.x
 server y.y.y.y
ip tacacs source-interface <Interface>

The servers are identified in the group, by the group name, and are referenced as such:

aaa authentication login default group <Name> local
aaa authentication enable default group <Name> enable
aaa authorization config-commands
aaa authorization exec default group <Name> local
aaa authorization commands 15 default group <Name> if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group <Name>
aaa accounting commands 15 default stop-only group tacacs+

It took me a long time to get the meaning of this. 

 

Hope this helps.

Scott

 

 

View solution in original post

9 REPLIES 9
Highlighted
VIP Mentor

Hi 

 

Below a snippet of the config. Sorry for the order of copy paste, I'm through my iPad.

 

aaa new-model

aaa authentication login CON none

aaa authentication login default local

 

line con 0

 exec-timeout 0 0

 login authentication CON

 logging synchronous

 authorization exec CON

 

tacacs server ise-1

  address ipv4 10.10.10.10

  key Cisco123
!
aaa group server tacacs+ ISE

  server name ise-1

!
aaa authentication login VTY group ISE local

aaa authentication enable default group ISE enable

aaa authorization config-commands

aaa authorization exec CON none
aaa authorization console
aaa authorization exec VTY group ISE local if-authenticated

aaa authorization commands 1 VTY group ISE local if-authenticated

aaa authorization commands 15 VTY group ISE local if-authenticated

aaa accounting exec default start-stop group ISE

aaa accounting commands 1 default start-stop group ISE

aaa accounting commands 15 default start-stop group ISE
aaa accounting connection default start-stop group ISE
aaa accounting system default start-stop group ISE
!

!
line vty 0 15

login authentication VTY

authorization commands 1 VTY

authorization commands 15 VTY
authorization exec VTY

accounting exec default
 accounting commands 1 default
 accounting commands 15 default
 accounting connection default
!
!


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Beginner

Sorry to raise an old thread, but I'm encountering this exact scenario.  I'm reading the documentation, which is giving me commands to use that do not exist.

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/sec/b_169_sec_9300_cg/configuring_tacacs_.html

 

From the documentation:

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. tacacs server server-name  <-- this has a space between tacacs and server, but the tacacs command is invalid under 16.9.4 on my C9300.  It defaults to "tacacs-server" if I use the tab to complete the command.  Is this just an error in the documentation?  The command structure under tacacs-server is completely different.
  4. address {ipv4 | ipv6} ip address
  5. exit
  6. aaa new-model
  7. aaa group server tacacs+ group-name
  8. server ip-address
  9. end
  10. show running-config
  11. copy running-config startup-config

Additionally, why would the server IP addresses need to be defined in two different places (both under tacacs server and aaa groups).  It also appears you can provide the server key under the aaa group server command structure.

I also found indications that the tacacs-server host command will be deprecated soon. It says you can use the server command instead of the tacacs-server host command, but the server command doesn't seem to exist either.

 

Highlighted

Hi,

 

   Do you have "aaa new-model" enabled?

 

Regards,

Cristian Matei.

Highlighted

Yeah - I'm an ID10T.  I had it at one time but then pulled it out because adding it caused my local user login to no longer dump me into enable mode.  Re-entering it gave me access to the tacacs command structure, but as scottsassin pointed out, that method is being depreciated.

Highlighted

The command tacacs server server-name has been depreciated. The new command structure is:

aaa group server tacacs+ <Name>
 server x.x.x.x
 server y.y.y.y
ip tacacs source-interface <Interface>

The servers are identified in the group, by the group name, and are referenced as such:

aaa authentication login default group <Name> local
aaa authentication enable default group <Name> enable
aaa authorization config-commands
aaa authorization exec default group <Name> local
aaa authorization commands 15 default group <Name> if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group <Name>
aaa accounting commands 15 default stop-only group tacacs+

It took me a long time to get the meaning of this. 

 

Hope this helps.

Scott

 

 

View solution in original post

Highlighted

Is there any methodology to the sequence of entering these commands?  When I was playing with it (before your post) I managed to enter something that caused me to no longer be able to enter commands.  I wound up having to reload the switch from the console.  Is there a way to test the tacacs server connectivity before adding the "aaa authentication login default group" command?

Highlighted

Hi,

 

    I'm guessing here. If you lasted the commands from the console, unauthenticated, it makes sense you lost access, when the exec authorization command was issued, as you lost exec access, so all further commands were ignored. Connect via telnet/ssh with username/password, paste the commands and there should be no issues.

 

Regards,

Cristian Matei.

Highlighted

I was ssh'd in with a username on the switch, but I may have been out of order with the commands.  I'd have to go back through my ssh logs to see exactly what I did. Thanks for confirming the order laid out will work without issue.

Highlighted

The command order wasn't entirely without issues.  While logged in as a local user with priv 15, I proceeded to add the commands as stated.  Once the "aaa authorization commands 15 default group RAAS-ISE if-authenticated" command was entered, I could no longer enter any other commands because I was logged in as a local user and once you enter that it starts pushing everything to the tacacs server.  I had to log in with a tacacs account to complete the last three commands.

 

CorpCore#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CorpCore(config)#aaa authentication login default group RAAS-ISE local
CorpCore(config)#aaa authentication enable default group RAAS-ISE enable
CorpCore(config)#aaa authorization config-commands
CorpCore(config)#aaa authorization exec default group RAAS-ISE local
CorpCore(config)#aaa authorization commands 15 default group RAAS-ISE if-authenticated
CorpCore(config)#aaa accounting exec default start-stop group tacacs+
Command authorization failed.

CorpCore(config)#aaa accounting commands 1 default stop-only group RAAS-ISE
Command authorization failed.

CorpCore(config)#aaa accounting commands 15 default stop-only group tacacs+
Command authorization failed.