Solved: Re: TACACS+ (ISE) configuration on a catalyst 9500 with Multiple-vrfs

hadeelOth81 · ‎10-28-2024

Hello All,

Kindly I need to help to configure TACACS+ (ISE) on a catalyst switch 9500. The 9500 has 2 vrfs and in the aaa group I specified the vrf and the source-interface.

I could successfully login to the switch but can not run any command. it gives me "Authorization Failed" and in ISE the logs show that the command was authorized successfully.

Any suggestions would be helpful.

Thank you,

Cristian Matei · ‎10-29-2024

Hi,

Command authorization fails as within your config you're referencing globally configured TACACS servers which don't exist, your configuration uses aaa group settings. Perform following changes and it will work:

no aaa authorization commands 0 default group tacacs+ local
no aaa authorization commands 1 default group tacacs+ local
no aaa authorization commands 15 default group tacacs+ local
!
aaa authorization commands 0 default group Group_Name local
aaa authorization commands 1 default group Group_Name local
aaa authorization commands 15 default group Group_Name local

Best,

Cristian.

View solution in original post

MHM Cisco World · ‎10-28-2024

aaa group server tacacs+ group-name

server-private {ip-address | name} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]

ip vrf forwarding vrf-name

ip tacacs source-interface

Do config as above

MHM

hadeelOth81 · ‎10-28-2024

Hello @MHM Cisco World ,

Unfortunately, it did not work. Still facing authorization failed.

Thanks,

MHM Cisco World · ‎10-28-2024

Can I see the full config

MHM

MHM Cisco World · ‎10-28-2024

As I see you don't use server-private command under group?

Check config I share above

MHM

Cristian Matei · ‎10-28-2024

Hi,

Please share complete AAA config, as well as VTY lines and console config, as well as print-screen with ISE TACACS log message.

Best,

Cristian.

hadeelOth81 · ‎10-28-2024

Here is the configuration

switch1#sh run | sec aaa
aaa new-model
aaa local authentication attempts max-fail 10
aaa group server tacacs+ (Group-Name)
server name ise-name1
server name ise-name2
ip vrf forwarding vrf-name
ip tacacs source-interface Loopback0
aaa authentication login default group Group_Name local
aaa authentication login synchronization none
aaa authorization config-commands
aaa authorization exec default group Group_Name if-authenticated
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting update newinfo
aaa accounting exec default start-stop broadcast group Group-Name
aaa accounting commands 1 default start-stop broadcast group Group-Name
aaa accounting commands 15 default start-stop broadcast group Group-Name
aaa session-id common

tacacs server ise-name1
address ipv4 IP
key 7 Key

tacacs server ise-name2
address ipv4 IP
key 7 Key

Thank you,

Cristian Matei · ‎10-29-2024

Hi,

Command authorization fails as within your config you're referencing globally configured TACACS servers which don't exist, your configuration uses aaa group settings. Perform following changes and it will work:

no aaa authorization commands 0 default group tacacs+ local
no aaa authorization commands 1 default group tacacs+ local
no aaa authorization commands 15 default group tacacs+ local
!
aaa authorization commands 0 default group Group_Name local
aaa authorization commands 1 default group Group_Name local
aaa authorization commands 15 default group Group_Name local

Best,

Cristian.

hadeelOth81 · ‎10-29-2024

Thank you @Cristian Matei . It solved the issue.