10-23-2008 11:20 PM - edited 03-10-2019 04:08 PM
Hi all,
I've just upgraded a CAT3560-48TS from IOS 12.2(37)SE1(ipservicesk9) to 12.2(46)SE (ipservicesk9). All seems fine untill I tried logging with my TACACS account: I get a authorization failed. Logging in with a local priv15 account works just fine. After removing the following statements:
aaa authorization exec default group auth-server local
aaa authorization commands 0 default group auth-server none
aaa authorization commands 1 default group auth-server none
aaa authorization commands 15 default group auth-server none
everything works fine again.
Also, I've upgraded other 3560 switches to 12.2(46)SE with an ipbase image. Those switches work fine with exactly the same AAA IOS configuration. Any thoughts on this one?
Cheers,
Vincent
Solved! Go to Solution.
10-28-2008 08:00 PM
Douglas
There are a couple of things that would commonly produce the symptoms that you describe. I would check for these:
- is the key (shared secret) configured on the ASA the same as the key configured on the server?
- is the IP address configured on the server for the client the same as the address that the client uses as the source address when it sends the request to the server?
Are there any entries in the logs on the server indicating whether it saw the request for authentication, and if so why the request failed?
HTH
Rick
10-28-2008 09:18 PM
Rick,
Thanks a lot. I had to check according to the 2 items above and BINGO!!! all 's looking good. Ip address misconfig and maybe Preshared keys issue.
12-11-2008 06:07 AM
I found that simply doing the following resolved the issue for me:
no tacacs-server host x.x.x.x single-connection
tacacs-server host x.x.x.x single-connection
Thanks to posters for the help with this issue. I was running ACS Appliance 4.1(1) Build 23
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide