JG is right, your requests

slicerpro · ‎08-19-2015

I have several 2960's running 12.2(5x)SE. I have tacacs configured exactly the same way and yet on a few, I can't get it to work. I feel that the switch is simply not sending out tacacs traffic. Here is some output for your digestion:

AAAAAA#sh run | i aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default none
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default local group tacacs+
aaa authorization network default local group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

AAAAAA#sh run | i tacacs-
tacacs-server host x.191.0.130 key 7 XXXXXXXXXXXXXXXX
tacacs-server directed-request

CALGSISWDR01#sh tacacs

Tacacs+ Server : x.191.0.130/49
Socket opens: 49
Socket closes: 49
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0

I have heard of there having been bugs on otther code versions but not this one. Has anyone come across this issue and any workarounds?

Any quick response will be appreciated.

edwardcollins7 · ‎08-20-2015

Hey,

Please share:

debug aaa authentication

debug aaa authorization

debug tacacs+

Regards

Ed

slicerpro · ‎08-20-2015

hmm, not sure about running debug commands around here, is there another way to be trying while I see about clearance to run those commands?

Jagdeep Gambhir · ‎08-20-2015

Make sure,

1) Proper source interface is defined for tacacs

2) Check tacacs key on both ends

3) Check for any firewall blocking port 49.

4) Rule out any layer3/4 issues.

Regards,

~JG

Do rate helpful posts

slicerpro · ‎08-20-2015

How do you configure the source interface? I don't think it is taking the command for me.

Jagdeep Gambhir · ‎08-20-2015

It seems your request is timing out. Define source interface,

ip tacacs source-interface

To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration mode. To disable use of the specified interface IP address, use the no form of this command.

ip tacacs source-interface interface-name

no ip tacacs source-interface

Regards,

~JG

Do rate helpful posts

slicerpro · ‎08-20-2015

I configured the source interface, i'm still getting 'access denied'. This is the same tacacs server working for other switches across the network.

slicerpro · ‎08-20-2015

Does the server need to be configured to accept tacacs traffic from this switch? I don't think it configured that way for the other switches.

edwardcollins7 · ‎08-20-2015

JG is right, your requests are timing out.

Yes, the server needs to be configured to accept tacacs + traffic from this switch.

Especially after configuring source interface, that interface/IP should be configured on the server.

Without this all your other devices would not be working.

Unless, you have an allow all devices exception on the server.

Ed

slicerpro · ‎08-21-2015

I will check whether or not the server is configured to allow and will update.

slicerpro · ‎10-14-2015

JG I have attached some of the output you asked for. but first off the block, I noticed this in my aaa output rem_addr='x.191.0.25'. now that is not my tacacs server ip address.. does that mean anything?

slicerpro · ‎11-12-2015

I implemented some of these recomendations and together with some upsteam firewall changes, aaa is working perfectly.

Thank you all for your help.

Tacacs not working on C2960 running c2960-lanbasek9-mz.122-52.SE.bin