Showing results for 
Search instead for 
Did you mean: 

TACACS+ behavior on console versus vty


I have this strange behavior with TACACS+ on a 3850 switch.  If I console into the switch I authenticate against the ISE server and see it in the TACACS live logs  If I SSH into it it goes straight to local authentication without any attempt to contact TACACS on the ISE PSN. This is my AAA configuration


ISE is a TACACS server group, R-ISE is a RADIUS server group.


aaa authentication login VTY group ISE local
aaa authentication enable default group ISE enable
aaa authentication dot1x default group R-ISE
aaa authorization console
aaa authorization exec CON none
aaa authorization exec VTY group ISE local
aaa authorization network default group R-ISE
aaa authorization auth-proxy default group R-ISE


line con 0
 exec-timeout 0 0
 authorization exec CON
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 authorization exec VTY
 login authentication VTY
 transport input ssh

**Mark all helpful posts and solutions**

Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
Once you login check show users to make sure that you are landing on any of
vty 0 - 4

They are.  Here is even more odd behavior. When I ssh in the login is using the local account, yet when I try to go into privileged exec, it is going to tacacs for authentication.  To be clear my local account is a username that I do not use in ISE for tacacs and I don't see anything in the live logs for the login, but do see failed attempts for the local username when I type enable.

**Mark all helpful posts and solutions**

Try something like the following but changing radius by tacacs accordingly. In addition to that, version required should be 15.x (latest). Please provide us with your version, do a DEBUG AAA and post the debug results.


aaa new-model
aaa authentication login default local
aaa authentication login CONS local
aaa authentication login VTY_AUTHC group radius local
aaa authorization console
aaa authorization exec default none
aaa authorization exec CONS if-authenticated
aaa authorization exec VTY_AUTHC group radius local
aaa accounting exec default start-stop group radius

username cisco password cisco

line con 0
 authorization exec CONS
 login authentication CONS
line vty 0 15
 authorization exec VTY_AUTHC
 login authentication VTY_AUTHC
 transport input all (use ssh or telnet or none, whatever you need)
 transport output all (IF needed)

As stated before ISE and R-ISE are working groups that go to the appropriate PSNs.   Anyways.  I got permission to reboot the switch and everything works the way it was supposed to. 

**Mark all helpful posts and solutions**

Rising star
Rising star

I suspect you are hitting by default the: "aaa authentication enable default group ISE enable", because of the version you are running. That could explain why you see entries in the tacacs live logs. the debug AAA would give us more clues.


SSH probably goes directly into your local account for authentication because there is something misconfigured on the RADIUS ISE authentication policies/enduser accounts or you are not pointing properly to the RADIUS ISE in the LAN Switch (not sure if you are using the same ISE for radius and tacacs).


aaa authentication login VTY group ISE local


You should have in the sw something like:

aaa group server radius R-ISE


server auth-port 1645 acct-port 1646




aaa group server tacacs+ ISE

server-private single-connection key 7 cisco (server-private can be replaced by server)


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: