Tacacs+ 'aaa group server' vs 'tacacs server' commands

benbroadfoot · ‎02-01-2023

Hi There,

I have 2 C9500 L3 switches setup successfully authenticating to 2 ISE 2.6.0.156 servers using the following command set:

aaa group server tacacs+ ISE_SERVERS
server-private 10.x.x.1 key 7 blablabla
server-private 10.x.x.2 key 7 blablabla
ip tacacs source-interface Vlanxxx

aaa authentication login default group ISE_SERVERS local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ISE_SERVERS local if-authenticated
aaa accounting exec default start-stop group ISE_SERVERS
aaa accounting commands 0 default start-stop group ISE_SERVERS
aaa accounting commands 1 default start-stop group ISE_SERVERS
aaa accounting commands 15 default start-stop group ISE_SERVERS
aaa accounting network default start-stop group ISE_SERVERS
aaa accounting network SSH start-stop group ISE_SERVERS

Now if I apply the same config as above to some other switches (connected to the C9500's. I cannot get ISE to authenticate to logon. I can ping the ISE servers from the offending switches & ISE can ping the switches OK.

If I change the config on the offending switches to the following, everything works fine! Just wondering what could be the difference with using 'server-private' in the ISE_SERVERS tacacs+ group as opposed to using just the tacacs server command?

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local

tacacs server ISE_SERVER
address ipv4 10.x.x.1
key 7 blablabla

Thanks!

balaji.bandi · ‎02-01-2023

some other switches - need more information on what model of the switch and what IOS code running.

Cat 9500 latest IOS XE code - so the syntax changed looking into future config directions.

some old models based on IOS we need to use what is suggested.

i do see different config methods in different models of routers and switches.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

benbroadfoot · ‎02-01-2023

Hi @balaji.bandi - other switches include:

IE-5000-12S12P-10G running 15.2(7)E3

IE-4010-16S12P running 15.2(7)E2

The C9500's that are working are:

C9500-48Y4C running Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.12.5b, RELEASE SOFTWARE (fc3)

balaji.bandi · ‎02-01-2023

Configuring TACACS+ ( see the syntax supported)

https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie4010/software/release/15-2_4_EC/configuration/guide/scg-ie4010_5000/swauthen.html

Other note: Cat 9500 running an old version (may be ROMMON version you showing) check if you running 16.12.X upgrade to 17.6.4 lot of security and bug fixed. the code 16.12,X no longer advised by TAC.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎02-01-2023

ip tacacs source-interface Vlanxxx <<- are this VLAN interface is UP ??

benbroadfoot · ‎02-01-2023

Hi @MHM Cisco World - yes vlan is up

MHM Cisco World · ‎02-01-2023

ping ISE using VLAN interface as source

benbroadfoot · ‎02-01-2023

pings OK using VLAN interface as source

NSxxx#ping 10.x.x.1 source vlan xxx
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.x.x.1, timeout is 2 seconds:
Packet sent with a source address of 10.x.x.x
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

iskandar · ‎02-01-2023

I recall in the past I had to use "server-private" when connecting to tacacs servers via a management VRF.

But then again as some one mentioned above the tacacs configuration can differ from different cisco router/platforms, software versions.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-16/sec-usr-tacacs-xe-16-book/sec-vrf-tacas-svrs.html

benbroadfoot · ‎02-01-2023

OK after testing with some of these suggestions I have realised that the 'private-server' commands are working on any of the L2 switches, no matter which model it is (IE5K & 4010). On the IE5K's that have routing enabled it doesn't work & I have to use the 'tacacs server' commands which do work. Why would this make any difference?

As stated above I can ping the ISE interface useing the source option.

MHM Cisco World · ‎02-05-2023

I make deep dive and I think find solution here,
I will share detail later today or max tomorrow.

benbroadfoot · ‎02-06-2023

Hi @MHM Cisco World - any luck with this? very interested to hear what you have found!

MHM Cisco World · ‎02-06-2023

sure I will share tonight,

benbroadfoot · ‎02-12-2023

Hi @MHM Cisco World - can you please share when you have a chance? Thanks

poongarg · ‎02-16-2023

@benbroadfoot Server-private means you cannot re-use the TACACS server in another server group whereas server name or server host can be re-used in another server group.

Use-case for private-server is in VRF aware TACACS configurations mostly.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-3s/sec-usr-tacacs-xe-3s-book/sec-vrf-tacas-svrs.html

aaa group server radius LAB

server-private x.x.x.x key abc

ip vrf forwarding <vrf name>

ip radius source-interface GigabitEthernet x/x/x

>> Using tacacs server command keep the tacacs server as part of default-vrf.

>> When using private-server, configure the "ip vrf forwarding <vrf name> command under the "aaa group server" command and then check.