Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
1
Helpful
5
Replies

NCS540 tacacs failure

Go to solution
ElshanMammadli5597
Level 1
Level 1

‎08-16-2024 01:11 AM

 

We are in trouble with tacacs authentification on Cisco NCS 540.

We have configured tacacs and we can login into router but cant do any configuration and also cant do show run.

Tacacs is free tacacs server. 

RP/0/RP0/CPU0:HM(config)#router ospf test
% This command is not authorized

 

configuration is below

tacacs-server host 172.23.1.11 port 49
key 7 011E091752054B01204B4F070D45
single-connection

 

aaa group server tacacs+ tacgrp
server 172.23.1.11
!
aaa authorization exec tacauthen group tacgrp local
aaa authentication login taclogin group tacgrp local
line console
timeout login response 30
authorization exec tacauthen
login authentication taclogin
timestamp
exec-timeout 0 0
session-timeout 15
!
vty-pool default 0 99 line-template console

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP
In response to ElshanMammadli5597

‎08-16-2024 03:37 AM

Hello @ElshanMammadli5597 

So tje server might not be configured to grant the appropriate privileges or command authorizations...

Ensure that the TACACS+ server is configured to assign the appropriate privilege level (e.g., level 15) when users log in. This is typically done using the priv-lvl attribute.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
M02@rt37
VIP
VIP

‎08-16-2024 01:41 AM

Hello @ElshanMammadli5597 

Add this please :

aaa authorization commands 15 tacauthen group tacgrp local

This line ensures that any command at privilege level 15 is authorized through the TACACS+ server (and falls back to local if the server is unreachable).

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
ElshanMammadli5597
Level 1
Level 1
In response to M02@rt37

‎08-16-2024 02:55 AM

I added this command but result was same.  Do we have to add some attributes to free tacacs server?

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to ElshanMammadli5597

‎08-16-2024 03:37 AM

Hello @ElshanMammadli5597 

So tje server might not be configured to grant the appropriate privileges or command authorizations...

Ensure that the TACACS+ server is configured to assign the appropriate privilege level (e.g., level 15) when users log in. This is typically done using the priv-lvl attribute.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
ElshanMammadli5597
Level 1
Level 1
In response to M02@rt37

‎08-16-2024 06:01 AM

You are right, for all user  coming from exteral tacacs server must be define user role (admin,operator etc). But i have tried several way but result is unsuccesfull.

0 Helpful

Go to solution
ElshanMammadli5597
Level 1
Level 1
In response to M02@rt37

‎08-19-2024 10:23 PM

To add priv_level for users coming from tacas we have to change aaa default taskgroup

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card