08-19-2015 03:53 PM - edited 03-10-2019 10:59 PM
I have several 2960's running 12.2(5x)SE. I have tacacs configured exactly the same way and yet on a few, I can't get it to work. I feel that the switch is simply not sending out tacacs traffic. Here is some output for your digestion:
AAAAAA#sh run | i aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default none
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default local group tacacs+
aaa authorization network default local group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
AAAAAA#sh run | i tacacs-
tacacs-server host x.191.0.130 key 7 XXXXXXXXXXXXXXXX
tacacs-server directed-request
CALGSISWDR01#sh tacacs
Tacacs+ Server : x.191.0.130/49
Socket opens: 49
Socket closes: 49
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
I have heard of there having been bugs on otther code versions but not this one. Has anyone come across this issue and any workarounds?
Any quick response will be appreciated.
08-20-2015 09:07 AM
Hey,
Please share:
debug aaa authentication
debug aaa authorization
debug tacacs+
Regards
Ed
08-20-2015 10:32 AM
hmm, not sure about running debug commands around here, is there another way to be trying while I see about clearance to run those commands?
08-20-2015 10:49 AM
Make sure,
1) Proper source interface is defined for tacacs
2) Check tacacs key on both ends
3) Check for any firewall blocking port 49.
4) Rule out any layer3/4 issues.
Regards,
~JG
Do rate helpful posts
08-20-2015 01:44 PM
How do you configure the source interface? I don't think it is taking the command for me.
08-20-2015 02:55 PM
It seems your request is timing out. Define source interface,
ip tacacs source-interface
To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration mode. To disable use of the specified interface IP address, use the no form of this command.
ip tacacs source-interface interface-name
no ip tacacs source-interface
Regards,
~JG
Do rate helpful posts
08-20-2015 03:02 PM
I configured the source interface, i'm still getting 'access denied'. This is the same tacacs server working for other switches across the network.
08-20-2015 03:04 PM
Does the server need to be configured to accept tacacs traffic from this switch? I don't think it configured that way for the other switches.
08-20-2015 08:08 PM
JG is right, your requests are timing out.
Yes, the server needs to be configured to accept tacacs + traffic from this switch.
Especially after configuring source interface, that interface/IP should be configured on the server.
Without this all your other devices would not be working.
Unless, you have an allow all devices exception on the server.
Ed
08-21-2015 07:11 AM
I will check whether or not the server is configured to allow and will update.
10-14-2015 09:58 AM
11-12-2015 12:07 PM
I implemented some of these recomendations and together with some upsteam firewall changes, aaa is working perfectly.
Thank you all for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: