07-25-2022 07:27 AM
Hello All, I configured AAA on a c9300-48P, but I can't seem to login to the switch using the AAA credentials.
Find the configuration below:
SW#sh run aaa
! aaa authentication login AAA group tacacs+ local
aaa authorization exec AAA group tacacs+ local
aaa accounting commands 15 AAA start-stop group tacacs+
! ! ! ! ! ! tacacs server ACS1
address ipv4 x.x.x.x
key ######
tacacs server ACS2
address ipv4 x.x.x.x
key ###### !
aaa new-model
aaa session-id common !
!!!!!!
Kindly assist
Solved! Go to Solution.
07-26-2022 01:47 PM - edited 07-26-2022 02:20 PM
ip tacacs source-interface interface-name [vrf vrf-name]
only select the source of Packet from your SW to AAA server
07-25-2022 07:35 AM
we need also the config of line vty
please share it here
07-26-2022 02:34 AM
Hello there,
This is the line vty output:
line vty 0 4
authorization exec AAA
accounting commands 15 AAA
login authentication AAA
transport input ssh
transport output ssh
line vty 5 98
authorization exec AAA
accounting commands 15 AAA
login authentication AAA
transport input ssh
transport output ssh
07-26-2022 01:36 PM
The line vty looks correct. What do you see on the TACACS+ server? Any errors? Have you also run some commands to test the comms from switch to TACACS+ server etc.?
show tacacs
ping <ip_of_tacacs_servers>
debug tacacs authentication
debug tacacs authorization
07-27-2022 08:32 AM
07-26-2022 01:47 PM - edited 07-26-2022 02:20 PM
ip tacacs source-interface interface-name [vrf vrf-name]
only select the source of Packet from your SW to AAA server
07-27-2022 08:29 AM
Hello there, I'm a bit confused with the command
07-27-2022 08:30 AM
what are you confuse about?
07-27-2022 09:30 AM
https://community.cisco.com/t5/network-access-control/tacacs-authentication-not-working/td-p/2776891
same issue and one solution config the Interface that use as source of packet from SW to AAA server.
08-03-2022 02:06 PM
Many thanks @MHM Cisco World , @Arne Bier , @Rob Ingram for your help.
I added the config ip tacacs source-interface (vlan id) and the issue was resolved.
Thanks everyone
08-03-2022 02:15 PM
Your are so so welcome
07-25-2022 08:21 AM
@ugwuugochukwukizito Do you see anything in the logs on the ACS/ISE?
Have you created a NAD in ACS of the switch IP address and entered the correct shared secret?
Is the TACACS request sourced from the correct IP address (the IP address defined on ACS)? If not specify the source interface on the switch.
You may be using ACS, but this ISE device administation guide has all the switch configuration commands, as you don't appear to have configured all the aaa commands. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365
07-25-2022 06:32 PM
It appears you're using a method list in your aaa commands - as MHM mentioned, we need to see the output of
show run | sec line
to see if/how you have implemented the method list correctly.
If you didn't intentionally want this, then replace the AAA with 'default'
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
07-27-2022 01:17 PM
OK - now that we have some basic troubleshooting under way, let's continue with some more. The switch can ping the TACACS server. In your original post you mentioned ACS1 and ACS2 - I assume the TACACS servers are Cisco ACS servers?
Have you added the switch into the ACS server's Network Devices config?
TACACS uses TCP as a transport - the debug you attached might indicate that the peer device (ACS) reset the TCP connection because the switch has not been defined as a client in ACS. Or, it might be that there is a firewal in the way and it's allowing ICMP (ping) but not TCP/49 (TACACS protocol).
Does your switch have any VRF definitions? If yes, then as MHM rightly said early on, you must ensure that the IOS TACACS configuration is made "vrf aware" - ensure that the correct VRF is mentioned in any TACACS config, and also the correct Source Interface is specified - the same interface IP address that you used when you added the client into ACS.
And then there is the ACS configuration.
How about an output of the command
show tacacs
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: