07-21-2015 02:51 PM
Hi,
Can any one help me out, i configured TACACS in one switch and and tested on that session as:
test aaa group TACACS1 <User ID> <RSA Key> legacy
its said user successfully authenticated and then i did write command on switch, after that i loss to access.
what exactly do i need to do now?
07-21-2015 05:00 PM
Hello,
With the "test aaa" command you are validating that client/server communication is working correctly for the defined aaa server group, but it does not validate that the AAA config used for VTY/Console authentication is ok.
Can you share the aaa config you applied on the switch, to see where the problem might be?
07-21-2015 06:25 PM
Hi Luis,
Thanks for reply,
Tacacs Config:
aaa new-model
aaa authentication login default group Group1 line
aaa authentication login console local
aaa authentication login Radic local
aaa authentication login no_tacacs line
aaa authentication enable default group Group1 enable
aaa authentication ppp default if-needed group Group1
aaa authorization exec default group Group1 if-authenticated
aaa authorization exec no_tacacs none
aaa authorization commands 1 default group Group1 if-authenticated
aaa authorization commands 15 default group Group1 if-authenticated
aaa authorization network default group Group1 if-authenticated
aaa group server tacacs+ Group1
server-private <IP> key 0 <KEY>
server-private <IP> key 0 <KEY>
ip tacacs source-interface <vlan29>
07-21-2015 06:40 PM
Can you also show the lines VTY/Console config?
Are you trying to connect via telnet/ssh or console, and what is the error presenting? Is it prompting for a username/password and is saying that the authentication failed?
Regards,
Luis
07-22-2015 01:30 AM
07-22-2015 08:24 AM
Try checking the AAA servers logs, to see if the attempts you're trying to make reach the server and what it is responding.
If you can't connect via SSH/Telnet or via Console, I think the other option you would have is via SNMP if you configured a read-write snmp community on the switch.
07-22-2015 09:17 AM
07-22-2015 10:37 AM
If you can connect via Console it would be the easiest way.
Where you able to check the logs in the AAA server?
07-24-2015 10:00 AM
Thank you Luis. i revoked by Console and everything ok The device not added properly in to ACS
07-24-2015 11:50 AM
on the ACS Server logs are Possibily mismatch shared sectrets
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide