Solved: Re: TACACS Remote Address from Console

pinglis · ‎09-17-2019

I have set up a new stack of Catalyst 9300 switches and when I login from the console (using USB port) the remote address seen by ISE in the TACACS logs is 192.168.1.5.

Previously console logins show a Remote Access of "async".

To be clear I am not talking about the switches source address but the address of the client connecting to the switch.

Is there any way to configure the Remote Address sent for console logins?

We have a policy restricting access to specific Remote Address and I would like to avoid including 192.168.x.x in the policy.

hslai · ‎09-23-2019

In case the previous console logins were via RJ45, then it seems a bug and would recommend to contact TAC to report it.

In my experience, async is usually meant connections to a terminal server port.

View solution in original post

hslai · ‎09-23-2019

In case the previous console logins were via RJ45, then it seems a bug and would recommend to contact TAC to report it.

In my experience, async is usually meant connections to a terminal server port.

wags · ‎09-09-2025

Did TAC ever determine that this was something they cared about and give it a BugID? This is really bothersome since that address is not in our ACLs and yet it shows up. It would seem that we can no longer trust the logging that Cisco provides with/for security.

wags · ‎09-09-2025

FWIW This is occurring on both the USB and the RJ45 on IOS version 17.12.05 on one of our switches. Stack of two C9300-48P. Logs show another, but we have not visited to investigate further. Still looking, trying to determine if more are doing this. The 3850 I'm working with at me desk does NOT seem to have the issue.

This is very concerning that security records seem to be untrustworthy and inaccurate.

wags · ‎09-10-2025

For the next person who runs into this and wonders what is going on, I found the following. If you've been around Cisco for decades like myself, you'll have run into stack switch members that you cannot log onto because someone didn't set the stack membership correctly and you didn't choose the "master" (or other variation on that theme). So at least on the 9300 stack I am working with, you can log onto any of the stack members, not just the master. If you log onto the master, then the TACACS logs have the Remote Address as async. If you log onto one of the non-masters is shows as 192.168.1.5 as the Remote Address. The really bad part of this is that for my network, that address in an address space we have.

I am not sure if there are any commands on the switch config to address this "feature". Anyone know?

wags · ‎09-11-2025

Clarification in above post. You seem to be able to not only log on to non-master console ports of the 9300 stack, but also issue commands. That is assuming your ISE TACACS policies match in some way.

wags · ‎09-12-2025

Only because I often find posts that I really wished had the ending details, I am adding this (I think) final post.

From what I've found, what is being seen is the switch internal VRF doing a redirected stack console session (192.168.1.5, ttyx). This allows all switch console ports in the stack to be used as a console for logon and CLI work. This feature apparently came about with IOS-XE and the 3850 series of switches. You can disable the function so that only the master switch will support console login and CLI. However that is kind of counter productive since sometimes the masters are not set correctly and finding it is frustrating while in a comm closet which always seems too small.

As a final note, we are a largish shop with well over 1K L2ish switches and over 75K active user ports as well as many L3 devices. We have a lot of switch admins and it is almost universal when I started asking about this feature of the console. The young bucks never knew about needing to find the master switch for console access and the old timers said hey that's cool, when did that feature happen? Ya, CCNP for over 20 years doesn't mean you have every aspect of IOS in your tool belt.

Hope this helps someone.