Solved: AAA Configuration on c9300

scottsassin · ‎12-21-2017

I have a stack of C9300 switches. I am trying to configure tacacs+ authentication. I read the documentation, and I'm getting no where .

Please post an example of aaa configuration, using a group of tacacs servers.

scottsassin · ‎03-11-2020

The command tacacs server server-name has been depreciated. The new command structure is:

aaa group server tacacs+ <Name>
server x.x.x.x
server y.y.y.y
ip tacacs source-interface <Interface>

The servers are identified in the group, by the group name, and are referenced as such:

aaa authentication login default group <Name> local
aaa authentication enable default group <Name> enable
aaa authorization config-commands
aaa authorization exec default group <Name> local
aaa authorization commands 15 default group <Name> if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group <Name>
aaa accounting commands 15 default stop-only group tacacs+

It took me a long time to get the meaning of this.

Hope this helps.

Scott

View solution in original post

Francesco Molino · ‎12-21-2017

Hi

Below a snippet of the config. Sorry for the order of copy paste, I'm through my iPad.

aaa new-model

aaa authentication login CON none

aaa authentication login default local

line con 0

exec-timeout 0 0

login authentication CON

logging synchronous

authorization exec CON

tacacs server ise-1

address ipv4 10.10.10.10

key Cisco123
!
aaa group server tacacs+ ISE

server name ise-1

!
aaa authentication login VTY group ISE local

aaa authentication enable default group ISE enable

aaa authorization config-commands

aaa authorization exec CON none
aaa authorization console
aaa authorization exec VTY group ISE local if-authenticated

aaa authorization commands 1 VTY group ISE local if-authenticated

aaa authorization commands 15 VTY group ISE local if-authenticated

aaa accounting exec default start-stop group ISE

aaa accounting commands 1 default start-stop group ISE

aaa accounting commands 15 default start-stop group ISE
aaa accounting connection default start-stop group ISE
aaa accounting system default start-stop group ISE
!

!
line vty 0 15

login authentication VTY

authorization commands 1 VTY

authorization commands 15 VTY
authorization exec VTY

accounting exec default
accounting commands 1 default
accounting commands 15 default
accounting connection default
!
!

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

jlmickens · ‎03-11-2020

Sorry to raise an old thread, but I'm encountering this exact scenario. I'm reading the documentation, which is giving me commands to use that do not exist.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/sec/b_169_sec_9300_cg/configuring_tacacs_.html

From the documentation:

SUMMARY STEPS

enable
configure terminal
tacacs server server-name <-- this has a space between tacacs and server, but the tacacs command is invalid under 16.9.4 on my C9300. It defaults to "tacacs-server" if I use the tab to complete the command. Is this just an error in the documentation? The command structure under tacacs-server is completely different.
address {ipv4 | ipv6} ip address
exit
aaa new-model
aaa group server tacacs+ group-name
server ip-address
end
show running-config
copy running-config startup-config

Additionally, why would the server IP addresses need to be defined in two different places (both under tacacs server and aaa groups). It also appears you can provide the server key under the aaa group server command structure.

I also found indications that the tacacs-server host command will be deprecated soon. It says you can use the server command instead of the tacacs-server host command, but the server command doesn't seem to exist either.

Cristian Matei · ‎03-11-2020

Hi,

Do you have "aaa new-model" enabled?

Regards,

Cristian Matei.

jlmickens · ‎03-12-2020

Yeah - I'm an ID10T. I had it at one time but then pulled it out because adding it caused my local user login to no longer dump me into enable mode. Re-entering it gave me access to the tacacs command structure, but as scottsassin pointed out, that method is being depreciated.

scottsassin · ‎03-11-2020

The command tacacs server server-name has been depreciated. The new command structure is:

aaa group server tacacs+ <Name>
server x.x.x.x
server y.y.y.y
ip tacacs source-interface <Interface>

The servers are identified in the group, by the group name, and are referenced as such:

aaa authentication login default group <Name> local
aaa authentication enable default group <Name> enable
aaa authorization config-commands
aaa authorization exec default group <Name> local
aaa authorization commands 15 default group <Name> if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group <Name>
aaa accounting commands 15 default stop-only group tacacs+

It took me a long time to get the meaning of this.

Hope this helps.

Scott

jlmickens · ‎03-12-2020

Is there any methodology to the sequence of entering these commands? When I was playing with it (before your post) I managed to enter something that caused me to no longer be able to enter commands. I wound up having to reload the switch from the console. Is there a way to test the tacacs server connectivity before adding the "aaa authentication login default group" command?

Cristian Matei · ‎03-12-2020

Hi,

I'm guessing here. If you lasted the commands from the console, unauthenticated, it makes sense you lost access, when the exec authorization command was issued, as you lost exec access, so all further commands were ignored. Connect via telnet/ssh with username/password, paste the commands and there should be no issues.

Regards,

Cristian Matei.

jlmickens · ‎03-12-2020

I was ssh'd in with a username on the switch, but I may have been out of order with the commands. I'd have to go back through my ssh logs to see exactly what I did. Thanks for confirming the order laid out will work without issue.

jlmickens · ‎03-31-2020

The command order wasn't entirely without issues. While logged in as a local user with priv 15, I proceeded to add the commands as stated. Once the "aaa authorization commands 15 default group RAAS-ISE if-authenticated" command was entered, I could no longer enter any other commands because I was logged in as a local user and once you enter that it starts pushing everything to the tacacs server. I had to log in with a tacacs account to complete the last three commands.

CorpCore#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CorpCore(config)#aaa authentication login default group RAAS-ISE local
CorpCore(config)#aaa authentication enable default group RAAS-ISE enable
CorpCore(config)#aaa authorization config-commands
CorpCore(config)#aaa authorization exec default group RAAS-ISE local
CorpCore(config)#aaa authorization commands 15 default group RAAS-ISE if-authenticated
CorpCore(config)#aaa accounting exec default start-stop group tacacs+
Command authorization failed.

CorpCore(config)#aaa accounting commands 1 default stop-only group RAAS-ISE
Command authorization failed.

CorpCore(config)#aaa accounting commands 15 default stop-only group tacacs+
Command authorization failed.