We have Cisco 3750G switches and have them setup to use Cisco ACS 22.214.171.124.5. Some switches after they are restarted and we know that the config is saved the server address for the AAA authentication is dropped. We are running IOS c3750-ipbasek9-mz.122-40.SE. I have started to upgrade switches to c3750-ipbasek9-mz.122-50.SE5 to fix an issue with reporting high drops in Solarwinds. I have not thus far seen any problems with the new vesion but have only been running it for a few days. Any help on this would be great.
Solved! Go to Solution.
Can you give me some mroe information as in what exactly happens when you reboot/restart the device. Do you mean that you get the prompt for authentication through tacacs, However the authentication fails or you donot get prompted for username and password at all.
Minakshi (Do rate the helpful posts)
In our config we use the following.
aaa group server tacacs+ NAME
server 10..x.x.x < ---- This is dropped on restart sometimes
ip tacacs source-interface Vlan1
aaa authentication login NAME group NAME local
aaa authentication login CONSOLE local
aaa authorization console
aaa authorization config-commands
aaa authorization exec NAME group NAME local if-authenticated
aaa authorization exec NAME local if-authenticated
aaa authorization commands 2 NAME group NAME if-authenticated
aaa authorization commands 15 NAME group NAME if-authenticated
aaa accounting commands 2 default start-stop group NAME
aaa accounting commands 15 default start-stop group NAME
When this is dropped the switches then just use local authentication. I have no idea why this happens. It is annoying, and my boss has no patience for this. He hates that i have the authentication run therough Active Directory. I think he likes to have 10 different passwords.
Do you get the prompt for username and password , when you reboot the switch? If yes, after typing the user credentails, if the authentication fails, what error message do you get on the tacacs server?
We are running ssh so when we type in our AD account that should authenticate it reprompts for a password. Because the server line is missing it is looking for the local account on the switch not in ACS. I don't believe at that time it is even hitting the server since it doesn't have address in the config. We have to use local switch credentials to add the server address then it start to work again.