Re: Tacacs+ 'aaa group server' vs 'tacacs server' commands - Page 2

benbroadfoot · ‎02-01-2023

Hi There,

I have 2 C9500 L3 switches setup successfully authenticating to 2 ISE 2.6.0.156 servers using the following command set:

aaa group server tacacs+ ISE_SERVERS
server-private 10.x.x.1 key 7 blablabla
server-private 10.x.x.2 key 7 blablabla
ip tacacs source-interface Vlanxxx

aaa authentication login default group ISE_SERVERS local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ISE_SERVERS local if-authenticated
aaa accounting exec default start-stop group ISE_SERVERS
aaa accounting commands 0 default start-stop group ISE_SERVERS
aaa accounting commands 1 default start-stop group ISE_SERVERS
aaa accounting commands 15 default start-stop group ISE_SERVERS
aaa accounting network default start-stop group ISE_SERVERS
aaa accounting network SSH start-stop group ISE_SERVERS

Now if I apply the same config as above to some other switches (connected to the C9500's. I cannot get ISE to authenticate to logon. I can ping the ISE servers from the offending switches & ISE can ping the switches OK.

If I change the config on the offending switches to the following, everything works fine! Just wondering what could be the difference with using 'server-private' in the ISE_SERVERS tacacs+ group as opposed to using just the tacacs server command?

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local

tacacs server ISE_SERVER
address ipv4 10.x.x.1
key 7 blablabla

Thanks!

hslai · ‎02-04-2023

@benbroadfoot, "ip tacacs source-interface Vlanxxx" seems part of aaa server group only. Perhaps, that is causing it. Anyhow, good to verify no asymmetric routing by packet captures, etc.

Nancy Saini · ‎02-07-2023

Hi @benbroadfoot

Another way of testing reachability to TACACS server is "test aaa group <server group name> <user> <password> new-code" and check TACACS live logs on the server to check if it received any request.

MHM Cisco World · ‎02-14-2023

Hi
I dont forget you but I was busy,
can I ask you some about your config ?
1- are you use any VRF in your SW
2-what is the IOS version you run

benbroadfoot · ‎02-14-2023

Hi @MHM Cisco World - no problems mate, any help from you guys is greatly appreciated!

1 - No VRF's are used

2- C9500-48Y4C running Cisco IOS XE Software, Version 16.12.05b (working with aaa group server tacacs+ ISE_SERVERS ISE config)

IE-5000-12S12P-10G running IOS 15.2(7)E3 (connected to above C9500 & not working with aaa group server tacacs+ ISE_SERVERS ISE config but does work with the other ISE commands)

Thanks!

MHM Cisco World · ‎02-14-2023

same config except use server instead of server-private
aaa group server tacacs+ ISE_SERVERS
server 10.x.x.1 key 7 blablabla
server 10.x.x.2 key 7 blablabla
ip tacacs source-interface Vlanxxx <<- you confirm that this VLAN is in global not in mgmt-vrf

benbroadfoot · ‎02-14-2023

just using "server 10.x.x.1" does not accept the 'key' command which is required.

The Vlanxxx is global yes

balaji.bandi · ‎02-15-2023

we have lost control on the post since been long

just to re-cap, you have same config working on different Cat 9500, some of them not working (that is Idustrial switches)

the commands are different use below guide for IE switches :

https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie4010/software/release/15-2_4_EC/configuration/guide/scg-ie4010_5000/swauthen.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

benbroadfoot · ‎02-15-2023

Hi @balaji.bandi, the 'private-server' commands are working on any of the L2 switches, no matter which model it is (IE5K & 4010). On the IE5K's that have routing enabled it doesn't work & I have to use the 'tacacs server' commands which do work.

balaji.bandi · ‎02-15-2023

On the IE5K's that have routing enabled it doesn't work & I have to use the 'tacacs server' commands which do work.

You may have provided before, can you provide the config again for the 5K switch

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

benbroadfoot · ‎02-15-2023

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local

tacacs server ISE_SERVER
address ipv4 10.x.x.1
key 7 blablabla

MHM Cisco World · ‎02-15-2023

Now
you must first config
tacacs serve with key
then use the server ip under aaa server group.

NOTE:- we here admin the SW, please make sure you have access to console and make sure you have local password and use in with aaa auth.

benbroadfoot · ‎02-19-2023

Hi All,

Not sure why I haven't done this previously but I have just enabled the tacacs debugging. See results below when I try to logon with tacacs enabled in the switch config.

009236: Apr 16 15:30:17.538 UTC: TPLUS: Queuing AAA Authentication request 54 for processing
009237: Apr 16 15:30:17.541 UTC: TPLUS(00000036) login timer started 1020 sec timeout
009238: Apr 16 15:30:17.541 UTC: TPLUS: processing authentication start request id 54
009239: Apr 16 15:30:17.541 UTC: TPLUS: Authentication start packet created for 54(userx)
009240: Apr 16 15:30:17.541 UTC: TPLUS: Using server 10.1.1.1
009241: Apr 16 15:30:17.541 UTC: TPLUS(00000036)/0/NB_WAIT/8252040: Started 5 sec timeout
009242: Apr 16 15:30:17.545 UTC: TPLUS(00000036)/0/NB_WAIT: socket event 2
009243: Apr 16 15:30:17.545 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1, SC 0
009244: Apr 16 15:30:17.545 UTC: T+: session_id 399221972 (0x17CBA4D4), dlen 38 (0x26)
009245: Apr 16 15:30:17.545 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
009246: Apr 16 15:30:17.545 UTC: T+: svc:LOGIN user_len:13 port_len:4 (0x4) raddr_len:13 (0xD) data_len:0
009247: Apr 16 15:30:17.545 UTC: T+: user: userx
009248: Apr 16 15:30:17.545 UTC: T+: port: tty1
009249: Apr 16 15:30:17.545 UTC: T+: rem_addr: 10.1.2.1
009250: Apr 16 15:30:17.545 UTC: T+: data:
009251: Apr 16 15:30:17.545 UTC: T+: End Packet
009252: Apr 16 15:30:17.545 UTC: TPLUS(00000036): encryption failed for AAA request
009253: Apr 16 15:30:17.545 UTC: TPLUS: Choosing next server 10.1.1.2
009254: Apr 16 15:30:17.545 UTC: TPLUS(00000036)/1/NB_WAIT/8252040: Started 5 sec timeout
009255: Apr 16 15:30:17.545 UTC: TPLUS(00000036)/8252040: releasing old socket 0
009256: Apr 16 15:30:17.545 UTC: TPLUS(00000036)/1/NB_WAIT/8252040: Socket 1 is in wait state
009257: Apr 16 15:30:17.555 UTC: TPLUS(00000036)/1/NB_WAIT: socket event 2
009258: Apr 16 15:30:17.555 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1, SC 0
009259: Apr 16 15:30:17.555 UTC: T+: session_id 399221972 (0x17CBA4D4), dlen 38 (0x26)
009260: Apr 16 15:30:17.555 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
009261: Apr 16 15:30:17.555 UTC: T+: svc:LOGIN user_len:13 port_len:4 (0x4) raddr_len:13 (0xD) data_len:0
009262: Apr 16 15:30:17.555 UTC: T+: user: userx
009263: Apr 16 15:30:17.555 UTC: T+: port: tty1
009264: Apr 16 15:30:17.555 UTC: T+: rem_addr: 10.1.2.1
009265: Apr 16 15:30:17.555 UTC: T+: data:
009266: Apr 16 15:30:17.555 UTC: T+: End Packet
009267: Apr 16 15:30:17.555 UTC: TPLUS(00000036): encryption failed for AAA request
009268: Apr 16 15:30:17.555 UTC: TPLUS(00000036)/1/8252040: Processing the reply packet

Could be a clue to this issue?