12-22-2019 08:26 PM - edited 12-22-2019 09:22 PM
Hi All,
Struggling with some basic TACACS setup on the 9300 switches. I have this configuration working successfully across all my other variety of switches and routers, but with different syntax in 9300, it somehow doesn't fit in, and I tried using the basic commands since then, and still failed at it.
Here's my basic configuration at the moment which doesn't allow me to login using TACACS. My local login is lost as well once I do this.
aaa authentication login default group tacacs+ local
aaa authorization network default group tacacs+ local
ip tacacs source-interface Vlan103
tacacs-server host abcd
tacacs server 1.1.1.1
key xxxxxxxxx
Below are the error messages I have been seeing on debug:
*Dec 23 04:03:55.956: TPLUS: Authentication start packet created for 4016(abc)
*Dec 23 04:03:55.957: TPLUS: Using server 1.1.1.1
*Dec 23 04:03:55.957: TPLUS(00000FB0)/0/NB_WAIT/7F8CD761DCA0: Started 5 sec timeout
*Dec 23 04:03:56.244: TPLUS(00000FB0)/0/NB_WAIT: socket event 2
*Dec 23 04:03:56.244: T+: Version 192 (0xC0), type 1, seq 1, encryption 1, SC 0
*Dec 23 04:03:56.244: T+: session_id 1500798533 (0x59745E45), dlen 32 (0x20)
*Dec 23 04:03:56.244: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
*Dec 23 04:03:56.244: T+: svc:LOGIN user_len:7 port_len:4 (0x4) raddr_len:13 (0xD) data_len:0
*Dec 23 04:03:56.244: T+: user: abc
*Dec 23 04:03:56.244: T+: port: tty2
*Dec 23 04:03:56.244: T+: rem_addr: 1.1.1.136
*Dec 23 04:03:56.244: T+: data:
*Dec 23 04:03:56.244: T+: End Packet
*Dec 23 04:03:56.244: TPLUS(00000FB0)/0/NB_WAIT: wrote entire 44 bytes request
*Dec 23 04:03:56.244: TPLUS(00000FB0)/0/READ: socket event 1
*Dec 23 04:03:56.244: TPLUS(00000FB0)/0/READ: Would block while reading
*Dec 23 04:03:56.532: TPLUS(00000FB0)/0/READ: socket event 1
*Dec 23 04:03:56.532: TPLUS(00000FB0)/0/READ: read entire 12 header bytes (expect 16 bytes data)
*Dec 23 04:03:56.532: TPLUS(00000FB0)/0/READ: socket event 1
*Dec 23 04:03:56.532: TPLUS(00000FB0)/0/READ: read entire 28 bytes response
*Dec 23 04:03:56.532: T+: Version 192 (0xC0), type 1, seq 2, encryption 1, SC 0
*Dec 23 04:03:56.532: T+: session_id 1500798533 (0x59745E45), dlen 16 (0x10)
*Dec 23 04:03:56.533: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
*Dec 23 04:03:56.533: T+: msg: password:
*Dec 23 04:03:56.533: T+: data:
*Dec 23 04:03:56.533: T+: End Packet
*Dec 23 04:03:56.533: TPLUS(00000FB0) login timer stopped
*Dec 23 04:03:56.533: TPLUS(00000FB0)/0/7F8CD761DCA0: Processing the reply packet
*Dec 23 04:03:56.533: TPLUS: Received authen response status GET_PASSWORD (8)
*Dec 23 04:03:56.533: TPLUS(00000FB0)/0/None: Started 120 sec timeout
*Dec 23 04:03:56.533: TPLUS: Queuing AAA Authentication request 4016 for processing
*Dec 23 04:03:56.533: TPLUS(00000FB0) login timer started 1020 sec timeout
*Dec 23 04:03:56.533: TPLUS: processing authentication continue request id 4016
*Dec 23 04:03:56.533: TPLUS: Authentication continue packet generated for 4016
*Dec 23 04:03:56.533: TPLUS(00000FB0)/0/None: Timer Stoped
*Dec 23 04:03:56.533: TPLUS(00000FB0)/0/WRITE/7F8CD761DCA0: Started 5 sec timeout
*Dec 23 04:03:56.533: T+: Version 192 (0xC0), type 1, seq 3, encryption 1, SC 0
*Dec 23 04:03:56.533: T+: session_id 1500798533 (0x59745E45), dlen 15 (0xF)
*Dec 23 04:03:56.533: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
*Dec 23 04:03:56.533: T+: User msg: <elided>
*Dec 23 04:03:56.533: T+: User data:
*Dec 23 04:03:56.533: T+: End Packet
*Dec 23 04:03:56.533: TPLUS(00000FB0)/0/WRITE: wrote entire 27 bytes request
*Dec 23 04:03:56.824: TPLUS(00000FB0)/0/READ: socket event 1
*Dec 23 04:03:56.824: TPLUS(00000FB0)/0/READ: read entire 12 header bytes (expect 6 bytes data)
*Dec 23 04:03:56.824: TPLUS(00000FB0)/0/READ: socket event 1
*Dec 23 04:03:56.824: TPLUS(00000FB0)/0/READ: read entire 18 bytes response
*Dec 23 04:03:56.824: T+: Version 192 (0xC0), type 1, seq 4, encryption 1, SC 0
*Dec 23 04:03:56.824: T+: session_id 1500798533 (0x59745E45), dlen 6 (0x6)
*Dec 23 04:03:56.824: T+: AUTHEN/REPLY status:2 flags:0x0 msg_len:0, data_len:0
*Dec 23 04:03:56.824: T+: msg:
*Dec 23 04:03:56.824: T+: data:
*Dec 23 04:03:56.824: T+: End Packet
*Dec 23 04:03:56.824: TPLUS(00000FB0) login timer stopped
*Dec 23 04:03:56.824: TPLUS(00000FB0)/0/7F8CD761DCA0: Processing the reply packet
*Dec 23 04:03:56.824: TPLUS: Received authen response status FAIL (3)
*Dec 23 04:03:56.824: TPLUS: Invalid Client information received as input
*Dec 23 04:04:02.147: Socket I/O cleanup message sent to TACACS
Thanks in advance guys.
Solved! Go to Solution.
01-08-2020 10:01 PM
Below is what we have running on our Cat9300 IOS-XE 16.12.01 (but it was working since we started on 16.9)
aaa new-model aaa group server tacacs+ tacacs-ise-group aaa authentication login default group tacacs-ise-group local aaa authentication enable default group tacacs-ise-group enable aaa authorization exec default group tacacs-ise-group local if-authenticated aaa accounting commands 1 default start-stop group tacacs-ise-group aaa accounting commands 15 default start-stop group tacacs-ise-group tacacs server tacacs-ise1 address ipv4 192.168.0.221 key 7 xxxxxxxxxxxxxxxxxxxxxxxx aaa group server tacacs+ tacacs-ise-group server name tacacs-ise1
12-23-2019 02:25 PM
01-08-2020 10:01 PM
Below is what we have running on our Cat9300 IOS-XE 16.12.01 (but it was working since we started on 16.9)
aaa new-model aaa group server tacacs+ tacacs-ise-group aaa authentication login default group tacacs-ise-group local aaa authentication enable default group tacacs-ise-group enable aaa authorization exec default group tacacs-ise-group local if-authenticated aaa accounting commands 1 default start-stop group tacacs-ise-group aaa accounting commands 15 default start-stop group tacacs-ise-group tacacs server tacacs-ise1 address ipv4 192.168.0.221 key 7 xxxxxxxxxxxxxxxxxxxxxxxx aaa group server tacacs+ tacacs-ise-group server name tacacs-ise1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide