In our config we use the following.

aaa new-model

aaa group server tacacs+ NAME

server 10..x.x.x  < ---- This is dropped on restart sometimes

ip tacacs source-interface Vlan1

aaa authentication login NAME group NAME local

aaa authentication login CONSOLE local

aaa authorization console

aaa authorization config-commands

aaa authorization exec NAME group NAME local if-authenticated

aaa authorization exec NAME local if-authenticated

aaa authorization commands 2 NAME group NAME if-authenticated

aaa authorization commands 15 NAME group NAME if-authenticated

aaa accounting commands 2 default start-stop group NAME

aaa accounting commands 15 default start-stop group NAME

When this is dropped the switches then just use local authentication. I have no idea why this happens. It is annoying, and my boss has no patience for this. He hates that i have the authentication run therough Active Directory. I think he likes to have 10 different passwords.

Hi Ryan,

  Do you get the prompt for username and password , when you reboot the switch? If yes, after typing the user credentails, if the authentication fails, what error message do you get on the tacacs server?

We are running ssh so when we type in our AD account that should authenticate it reprompts for a password. Because the server line is missing it is looking for the local account on the switch not in ACS. I don't believe at that time it is even hitting the server since it doesn't have address in the config. We have to use local switch credentials to add the server address then it start to work again.

Ryan

That is what i assumed. We are in the process of upgrading everything to 122-50.SE5. Thanks for the help.