Applying AAA to production network..

ali-franks · ‎04-19-2005

Hi All,

I'm having a severe case of brain fade here and would appreciate a litle help.

I recently changed the architecture of a production network that uses TACACS servers. To the 3548 access switches, the AAA went in just fine. The process I followed was:

1. Apply only the aaa authentication lines from the config below

2.Then the tacacs server addresses and string

3.Then the authentication line on the console

4.Logout

5. Login with valid TACACS account

6 Apply the remaining config - authorisation and accounting

No problems there. The snag came when I tried to do the same on a 2 switch 3750 cluster, then again on 2 x 6506's.

I'm NOT locked out though, as there is a local username on the devices.

So, clearly my question is, why on earth can I apply the authentication lines to the devices, logout, try to login with the TACACS account then get an authentication failure?

All devices can ping the TACACS servers. Below is the config, which runs just fine on all other devices, including another pair of 6500's

aaa new-model

aaa authentication login xxxxxx group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

login authentication xxxxxxx

tacacs-server host x.x.x.x

tacacs-server key xxxxxx

dbnorton · ‎04-19-2005

Here is the configs we use for our switches. It request you to have an enable password set on your devices as failover. Also do you have a firewall between the switches and the tacacs server. If so login to one of the switche and try to do a telnet to your tacacs server on port 49 if it opens then you don't have a problem with a firewall. Also you can go on the tacacs server and check the failed login report and see if it gives you any clues as to why it's not working.

6500 Config

!

set tacacs server XXX.XXX.XXX.XXX primary

set tacacs server XXX.XXX.XXX.XXX

set tacacs key XXXXXXX

!

#authentication

set authentication login tacacs enable console primary

set authentication login tacacs enable telnet primary

set authentication login tacacs enable http primary

set authentication enable tacacs enable console primary

set authentication enable tacacs enable telnet primary

set authentication enable tacacs enable http primary

!!

#accounting

set accounting exec enable start-stop tacacs+

set accounting system enable start-stop tacacs+

!

#authorization

set authorization exec enable tacacs+ if-authenticated console

set authorization exec enable tacacs+ if-authenticated telnet

set authorization enable enable tacacs+ if-authenticated console

set authorization enable enable tacacs+ if-authenticated telnet

!

2950 and 3500 Catalyst

!

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

tacacs-server host XXX.XXX.XXX.XXX

tacacs-server key XXXXXXX

ali-franks · ‎04-20-2005

Dustin,

Thanks very much for the suggestions but unfortunately the config side is out of my hands. I'm just applying it to reconfigured switches after a data centre change. I still fail to understand how the config was fine on 3548's but not the others

Any suggestion please anyone?

Ali

dbnorton · ‎04-21-2005

Have you check the server to see what error messages you are getting it. Also have you tried to config net the file to your switches. We config net our files to switches and it loads it all at once instead of pieces. There has to be an error log somewhere that will tell you what's the problem is.