Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
3
Replies

Tacacs Configuration on the Switch

Faresnani
Level 1
Level 1

‎02-18-2024 11:15 PM - edited ‎02-18-2024 11:18 PM

Dear Community,

We are currently encountering a challenge in accessing the switch command-line interface (CLI) using user credentials from the Active Directory when the connection between the switch and the TACACS server is unavailable (Cisco ISE). The error message indicates that the switch cannot establish communication with the Cisco ISE. We seek guidance on configuring the scenario wherein, in the event of TACACS being unreachable, the switch automatically checks for the existence of local usernames accessing through Console or SSH 

like sequence checking first from TACACS then the Local database on the switch

Below is our configuration on the switch

==================================================================

 

aaa new-model
!
!
aaa authentication login default group ISE local
aaa authentication login console group ISE local
aaa authorization config-commands default group ISE local
aaa authorization commands default group ISE local
aaa accounting default group ISE local
aaa authentication login error-enable
tacacs-server directed-request

 

tacacs-server key 7 "*********"
tacacs-server host x.x.x.x key 7 "*******"
aaa group server tacacs+ ISE
server x.x.x.x

============================================================

 

Regards

Omran Mohamed

0 Helpful
3 Replies 3

MHM Cisco World
VIP
VIP

‎02-18-2024 11:27 PM

""If tacacs not send privilege with access-accept""

The local user and user in AD will auth and access to 1-level 1 from there you need enable password to access te level 15.

So you need enable password 

MHM

0 Helpful

MHM Cisco World
VIP
VIP

‎02-18-2024 11:34 PM

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html

In example 2 of this guide 

Which you config same (you add tacacs)

aaa authentication login console group ISE local

Here the console is method list and since it not defualt you need to add this list under console. Correct me if I am wrong.

For more info check example 2 in  link I share

Thanks 

MHM

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎02-18-2024 11:36 PM

Depends on the model of the Switch IOS code running - I use all the time below config on IOS XE and works as expected, when there is no ISE reachability :

username cisco privilege 15 secret 5 cisco

aaa new-model

tacacs server ISE1

address ipv4 192.100.1.1

key Mykey

tacacs server ISE2

address ipv4 192.200.1.1

key MyKey

ip tacacs source-interface Loopback0

 

aaa group server tacacs+ ISE_GRP

server name ISE1

server name ISE2

 

aaa authentication login default group ISE_GRP local

aaa authorization config-commands

aaa authorization exec default group ISE_GRP local

aaa authorization commands 0 default group ISE_GRP local

aaa authorization commands 1 default group ISE_GRP local

aaa authorization commands 15 default group ISE_GRP local

aaa accounting exec default start-stop group ISE_GRP

aaa accounting commands 0 default start-stop group ISE_GRP

aaa accounting commands 1 default start-stop group ISE_GRP

aaa accounting commands 15 default start-stop group ISE_GRP

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents