cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7471
Views
56
Helpful
26
Replies

Tacacs+ 'aaa group server' vs 'tacacs server' commands

benbroadfoot
Level 1
Level 1

Hi There,

I have 2 C9500 L3 switches setup successfully authenticating to 2 ISE 2.6.0.156 servers using the following command set:

aaa group server tacacs+ ISE_SERVERS
server-private 10.x.x.1 key 7 blablabla
server-private 10.x.x.2 key 7 blablabla
ip tacacs source-interface Vlanxxx

aaa authentication login default group ISE_SERVERS local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ISE_SERVERS local if-authenticated
aaa accounting exec default start-stop group ISE_SERVERS
aaa accounting commands 0 default start-stop group ISE_SERVERS
aaa accounting commands 1 default start-stop group ISE_SERVERS
aaa accounting commands 15 default start-stop group ISE_SERVERS
aaa accounting network default start-stop group ISE_SERVERS
aaa accounting network SSH start-stop group ISE_SERVERS

Now if I apply the same config as above to some other switches (connected to the C9500's. I cannot get ISE to authenticate to logon. I can ping the ISE servers from the offending switches & ISE can ping the switches OK.

If I change the config on the offending switches to the following, everything works fine! Just wondering what could be the difference with using 'server-private' in the ISE_SERVERS tacacs+ group as opposed to using just the tacacs server command?

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local

tacacs server ISE_SERVER
address ipv4 10.x.x.1
key 7 blablabla

Thanks!

26 Replies 26

balaji.bandi
Hall of Fame
Hall of Fame

some other switches  - need more information on what model of the switch and what IOS code running.

Cat 9500 latest IOS XE code - so the syntax changed looking into future config directions.

some old models based on IOS we need to use what is suggested.

i do see different config methods in different models of routers and switches.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi @balaji.bandi - other switches include:

IE-5000-12S12P-10G running 15.2(7)E3

IE-4010-16S12P running 15.2(7)E2

The C9500's that are working are:

C9500-48Y4C running Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.12.5b, RELEASE SOFTWARE (fc3)

 

Configuring TACACS+  ( see the syntax supported)

https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie4010/software/release/15-2_4_EC/configuration/guide/scg-ie4010_5000/swauthen.html

Other note: Cat 9500 running an old version (may be ROMMON version you showing) check if you running 16.12.X upgrade to 17.6.4 lot of security and bug fixed. the code 16.12,X no longer advised by TAC.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ip tacacs source-interface Vlanxxx <<- are this VLAN interface is UP ??

Hi @MHM Cisco World - yes vlan is up

ping ISE using VLAN interface as source 

pings OK using VLAN interface as source

NSxxx#ping 10.x.x.1 source vlan xxx
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.x.x.1, timeout is 2 seconds:
Packet sent with a source address of 10.x.x.x
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

iskandar
Level 1
Level 1

I recall in the past I had to use "server-private" when connecting to tacacs servers via a management VRF.

But then again as some one mentioned above the tacacs configuration can differ from different cisco router/platforms, software versions.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-16/sec-usr-tacacs-xe-16-book/sec-vrf-tacas-svrs.html  

benbroadfoot
Level 1
Level 1

OK after testing with some of these suggestions I have realised that the 'private-server' commands are working on any of the L2 switches, no matter which model it is (IE5K & 4010). On the IE5K's that have routing enabled it doesn't work & I have to use the 'tacacs server' commands which do work. Why would this make any difference?

As stated above I can ping the ISE interface useing the source option.

I make deep dive and I think find solution here,
I will share detail later today or max tomorrow. 

Hi @MHM Cisco World - any luck with this? very interested to hear what you have found!

sure I will share tonight,

Hi @MHM Cisco World - can you please share when you have a chance? Thanks

@benbroadfoot  Server-private means you cannot re-use the TACACS server in another server group whereas server name or server host can be re-used in another server group.

 Use-case for private-server is in VRF aware TACACS configurations mostly.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-3s/sec-usr-tacacs-xe-3s-book/sec-vrf-tacas-svrs.html

aaa group server radius LAB

server-private x.x.x.x key abc

ip vrf forwarding <vrf name>

ip radius source-interface GigabitEthernet x/x/x

>> Using tacacs server command keep the tacacs server as part of default-vrf.

>> When using private-server, configure the "ip vrf forwarding <vrf name> command under the "aaa group server" command and then check.