cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2540
Views
0
Helpful
2
Replies

TACACS and SNMPv3 9300 switches IOS 16.6.6

colossus1611
Level 1
Level 1

Hi All,

 

Struggling with some basic TACACS setup on the 9300 switches. I have this configuration working successfully across all my other variety of switches and routers, but with different syntax in 9300, it somehow doesn't fit in, and I tried using the basic commands since then, and still failed at it.

 

Here's my basic configuration at the moment which doesn't allow me to login using TACACS. My local login is lost as well once I do this.

 

aaa authentication login default group tacacs+ local
aaa authorization network default group tacacs+ local
ip tacacs source-interface Vlan103
tacacs-server host abcd
tacacs server 1.1.1.1
key xxxxxxxxx

 

Below are the error messages I have been seeing on debug:

 

*Dec 23 04:03:55.956: TPLUS: Authentication start packet created for 4016(abc)
*Dec 23 04:03:55.957: TPLUS: Using server 1.1.1.1
*Dec 23 04:03:55.957: TPLUS(00000FB0)/0/NB_WAIT/7F8CD761DCA0: Started 5 sec timeout
*Dec 23 04:03:56.244: TPLUS(00000FB0)/0/NB_WAIT: socket event 2
*Dec 23 04:03:56.244: T+: Version 192 (0xC0), type 1, seq 1, encryption 1, SC 0
*Dec 23 04:03:56.244: T+: session_id 1500798533 (0x59745E45), dlen 32 (0x20)
*Dec 23 04:03:56.244: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
*Dec 23 04:03:56.244: T+: svc:LOGIN user_len:7 port_len:4 (0x4) raddr_len:13 (0xD) data_len:0
*Dec 23 04:03:56.244: T+: user: abc
*Dec 23 04:03:56.244: T+: port: tty2
*Dec 23 04:03:56.244: T+: rem_addr: 1.1.1.136
*Dec 23 04:03:56.244: T+: data:
*Dec 23 04:03:56.244: T+: End Packet
*Dec 23 04:03:56.244: TPLUS(00000FB0)/0/NB_WAIT: wrote entire 44 bytes request
*Dec 23 04:03:56.244: TPLUS(00000FB0)/0/READ: socket event 1
*Dec 23 04:03:56.244: TPLUS(00000FB0)/0/READ: Would block while reading
*Dec 23 04:03:56.532: TPLUS(00000FB0)/0/READ: socket event 1
*Dec 23 04:03:56.532: TPLUS(00000FB0)/0/READ: read entire 12 header bytes (expect 16 bytes data)
*Dec 23 04:03:56.532: TPLUS(00000FB0)/0/READ: socket event 1
*Dec 23 04:03:56.532: TPLUS(00000FB0)/0/READ: read entire 28 bytes response
*Dec 23 04:03:56.532: T+: Version 192 (0xC0), type 1, seq 2, encryption 1, SC 0
*Dec 23 04:03:56.532: T+: session_id 1500798533 (0x59745E45), dlen 16 (0x10)
*Dec 23 04:03:56.533: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
*Dec 23 04:03:56.533: T+: msg: password:
*Dec 23 04:03:56.533: T+: data:
*Dec 23 04:03:56.533: T+: End Packet
*Dec 23 04:03:56.533: TPLUS(00000FB0) login timer stopped
*Dec 23 04:03:56.533: TPLUS(00000FB0)/0/7F8CD761DCA0: Processing the reply packet
*Dec 23 04:03:56.533: TPLUS: Received authen response status GET_PASSWORD (8)
*Dec 23 04:03:56.533: TPLUS(00000FB0)/0/None: Started 120 sec timeout
*Dec 23 04:03:56.533: TPLUS: Queuing AAA Authentication request 4016 for processing
*Dec 23 04:03:56.533: TPLUS(00000FB0) login timer started 1020 sec timeout
*Dec 23 04:03:56.533: TPLUS: processing authentication continue request id 4016
*Dec 23 04:03:56.533: TPLUS: Authentication continue packet generated for 4016
*Dec 23 04:03:56.533: TPLUS(00000FB0)/0/None: Timer Stoped
*Dec 23 04:03:56.533: TPLUS(00000FB0)/0/WRITE/7F8CD761DCA0: Started 5 sec timeout
*Dec 23 04:03:56.533: T+: Version 192 (0xC0), type 1, seq 3, encryption 1, SC 0
*Dec 23 04:03:56.533: T+: session_id 1500798533 (0x59745E45), dlen 15 (0xF)
*Dec 23 04:03:56.533: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
*Dec 23 04:03:56.533: T+: User msg: <elided>
*Dec 23 04:03:56.533: T+: User data:
*Dec 23 04:03:56.533: T+: End Packet
*Dec 23 04:03:56.533: TPLUS(00000FB0)/0/WRITE: wrote entire 27 bytes request
*Dec 23 04:03:56.824: TPLUS(00000FB0)/0/READ: socket event 1
*Dec 23 04:03:56.824: TPLUS(00000FB0)/0/READ: read entire 12 header bytes (expect 6 bytes data)
*Dec 23 04:03:56.824: TPLUS(00000FB0)/0/READ: socket event 1
*Dec 23 04:03:56.824: TPLUS(00000FB0)/0/READ: read entire 18 bytes response
*Dec 23 04:03:56.824: T+: Version 192 (0xC0), type 1, seq 4, encryption 1, SC 0
*Dec 23 04:03:56.824: T+: session_id 1500798533 (0x59745E45), dlen 6 (0x6)
*Dec 23 04:03:56.824: T+: AUTHEN/REPLY status:2 flags:0x0 msg_len:0, data_len:0
*Dec 23 04:03:56.824: T+: msg:
*Dec 23 04:03:56.824: T+: data:
*Dec 23 04:03:56.824: T+: End Packet
*Dec 23 04:03:56.824: TPLUS(00000FB0) login timer stopped
*Dec 23 04:03:56.824: TPLUS(00000FB0)/0/7F8CD761DCA0: Processing the reply packet
*Dec 23 04:03:56.824: TPLUS: Received authen response status FAIL (3)
*Dec 23 04:03:56.824: TPLUS: Invalid Client information received as input
*Dec 23 04:04:02.147: Socket I/O cleanup message sent to TACACS

 

 

 

 

 

Thanks in advance guys.

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

Hi @colossus1611 

 

Below is what we have running on our Cat9300 IOS-XE 16.12.01 (but it was working since we started on 16.9)

 

aaa new-model
aaa group server tacacs+ tacacs-ise-group
aaa authentication login default group tacacs-ise-group local
aaa authentication enable default group tacacs-ise-group enable
aaa authorization exec default group tacacs-ise-group local if-authenticated
aaa accounting commands 1 default start-stop group tacacs-ise-group
aaa accounting commands 15 default start-stop group tacacs-ise-group

tacacs server tacacs-ise1
 address ipv4 192.168.0.221
 key 7 xxxxxxxxxxxxxxxxxxxxxxxx

aaa group server tacacs+ tacacs-ise-group
 server name tacacs-ise1

View solution in original post

2 Replies 2

Jason Kunst
Cisco Employee
Cisco Employee
If this doesn’t work recommend posting or moving to the switching community

Arne Bier
VIP
VIP

Hi @colossus1611 

 

Below is what we have running on our Cat9300 IOS-XE 16.12.01 (but it was working since we started on 16.9)

 

aaa new-model
aaa group server tacacs+ tacacs-ise-group
aaa authentication login default group tacacs-ise-group local
aaa authentication enable default group tacacs-ise-group enable
aaa authorization exec default group tacacs-ise-group local if-authenticated
aaa accounting commands 1 default start-stop group tacacs-ise-group
aaa accounting commands 15 default start-stop group tacacs-ise-group

tacacs server tacacs-ise1
 address ipv4 192.168.0.221
 key 7 xxxxxxxxxxxxxxxxxxxxxxxx

aaa group server tacacs+ tacacs-ise-group
 server name tacacs-ise1
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: