cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1337
Views
10
Helpful
13
Replies

UNABLE TO ACCESS SWITCH USING AAA CREDENTIALS

Hello All, I configured AAA on a c9300-48P, but I can't seem to login to the switch using the AAA credentials.

 

Find the configuration below:

SW#sh run aaa

! aaa authentication login AAA group tacacs+ local

aaa authorization exec AAA group tacacs+ local

aaa accounting commands 15 AAA start-stop group tacacs+

! ! ! ! ! ! tacacs server ACS1

address ipv4 x.x.x.x

key ######

tacacs server ACS2

address ipv4 x.x.x.x

key ###### !

aaa new-model

aaa session-id common !

!!!!!!

 

Kindly assist 

 

1 Accepted Solution

Accepted Solutions

ip tacacs source-interface interface-name [vrf vrf-name]

only select the source of Packet from your SW to AAA server

View solution in original post

13 Replies 13

we need also the config of line vty 
please share it here 

Hello there,

This is the line vty output:

line vty 0 4
 authorization exec AAA
 accounting commands 15 AAA
 login authentication AAA
 transport input ssh
 transport output ssh
line vty 5 98
 authorization exec AAA
 accounting commands 15 AAA
 login authentication AAA
 transport input ssh
 transport output ssh

 

The line vty looks correct. What do you see on the TACACS+ server? Any errors? Have you also run some commands to test the comms from switch to TACACS+ server etc.?

show tacacs
ping <ip_of_tacacs_servers>
debug tacacs authentication
debug tacacs authorization

 

Hello Arne, 

 

Yes I can ping the tacacs server from the switch.

 

I've attached the debug authentication output. 

I can't seem to make anything out of it.

Kindly assist. 

ip tacacs source-interface interface-name [vrf vrf-name]

only select the source of Packet from your SW to AAA server

Hello there, I'm a bit confused with the command 

what are you confuse about?

https://community.cisco.com/t5/network-access-control/tacacs-authentication-not-working/td-p/2776891

same issue and one solution config the Interface that use as source of packet from SW to AAA server.

Many thanks @MHM Cisco World , @Arne Bier , @Rob Ingram for your help.

I added the config ip tacacs source-interface (vlan id) and the issue was resolved.

 

Thanks everyone

Your are so so welcome 

@ugwuugochukwukizito Do you see anything in the logs on the ACS/ISE?

Have you created a NAD in ACS of the switch IP address and entered the correct shared secret?

Is the TACACS request sourced from the correct IP address (the IP address defined on ACS)? If not specify the source interface on the switch.

You may be using ACS, but this ISE device administation guide has all the switch configuration commands, as you don't appear to have configured all the aaa commands. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

 

Arne Bier
VIP
VIP

It appears you're using a method list in your aaa commands - as MHM mentioned, we need to see the output of 

show run | sec line

to see if/how you have implemented the method list correctly.

If you didn't intentionally want this, then replace the AAA with 'default'

 

aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Arne Bier
VIP
VIP

OK - now that we have some basic troubleshooting under way, let's continue with some more. The switch can ping the TACACS server. In your original post you mentioned ACS1 and ACS2 - I assume the TACACS servers are Cisco ACS servers?

Have you added the switch into the ACS server's Network Devices config?

TACACS uses TCP as a transport - the debug you attached might indicate that the peer device (ACS) reset the TCP connection because the switch has not been defined as a client in ACS. Or, it might be that there is a firewal in the way and it's allowing ICMP (ping) but not TCP/49 (TACACS protocol).

Does your switch have any VRF definitions? If yes, then as MHM rightly said early on, you must ensure that the IOS TACACS configuration is made "vrf aware" - ensure that the correct VRF is mentioned in any TACACS config, and also the correct Source Interface is specified - the same interface IP address that you used when you added the client into ACS.

And then there is the ACS configuration.

How about an output of the command

show tacacs

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: