- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2022 02:51 PM - edited 09-06-2022 02:52 PM
Folks:
We have two group commands below. What is function of the red highlighted commands in cli switch C9300? Can we delete them?
In some gui config, we can use group ABC as ise or tacacs group for backup. but now its 9300 switch. Thanks
aaa group server tacacs+ ABC
server name ise-1
server name ise-2
tacacs server ise-1
address ipv4 10.1.1.1
key xxxx
tacacs server ise-2
address ipv4 10.1.1.2
key xxxx
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 07:46 AM
@Leftz so the TACACS group ABC is in use, which means only those 2 specific TACACS servers in that group will be used for authentication. If you had other TACACS servers they would not be used for authentication.
You could re write that aaa authentication rule and use "group tacacs+" instead of "group ABC".
Why do you want to delete the ABC group though?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 08:08 AM
Friend you have for example 4 server
You config two in group a and other two in group b,
If you config group a
Then only two server will be check
If you config group tacacs
Then all server will check
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 08:24 AM - edited 09-07-2022 08:25 AM
@Leftz using "aaa authentication login LOGIN local" would mean you would login using local authentication not TACACS.
LOGIN = the method list name
local = a local user account on the router/switch.
To use TACACS under the vty lines
aaa authentication login ISE-MLIST group ABC local
!
line vty 0 4
login authentication ISE-MLIST
UPDATE - Sorry I mis-understood your initial request, I thought you wanted to delete the TACACS group ABC. You can use "group tacacs+" or "group ABC".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2022 03:11 PM
I see one group two server not two group!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2022 07:36 PM
What I mean is the below commands can be deleted in switch system? I think it can be removed. so that the servers can be used directly. otherwise the switch use ABC as tacacs server.
aaa group server tacacs+ ABC
server name ise-1
server name ise-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2022 11:54 PM - edited 09-07-2022 07:41 AM
@interfacedy do you have a AAA method list referencing the tacacs group ABC that is use? If not then you can delete the group.
Run "show aaa" to confirm what method lists have been defined, you may well just be using "default".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 01:58 AM - edited 09-07-2022 01:58 AM
there are two group keyword
one for use group of server and other specify all server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 07:38 AM
You are right. so the below commands should be a set of commands. but no command can be deleted, right?
aaa authentication login default group ABC local
aaa group server tacacs+ ABC
server name ise-1
server name ise-2
tacacs server ise-1
address ipv4 10.1.1.1
key xxxx
tacacs server ise-2
address ipv4 10.1.1.2
key xxxx
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 07:46 AM
@Leftz so the TACACS group ABC is in use, which means only those 2 specific TACACS servers in that group will be used for authentication. If you had other TACACS servers they would not be used for authentication.
You could re write that aaa authentication rule and use "group tacacs+" instead of "group ABC".
Why do you want to delete the ABC group though?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 07:55 AM - edited 09-07-2022 08:10 AM
@Rob Ingram I do not want to delete the group, instead I just need to understand it.
So, if using "aaa authentication login LOGIN local" at config mode and "login authentication LOGIN" under line vty, the switch would use any defined tacacs server? but I feel the list method does not associate with any tacacs server.
As you mentioned above, "use "group tacacs+" instead of "group ABC". "
Is there any difference between "group tacacs+" and "group ABC". ? If using "group tacacs+", how can associate with server group ABC? Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 08:08 AM
Friend you have for example 4 server
You config two in group a and other two in group b,
If you config group a
Then only two server will be check
If you config group tacacs
Then all server will check
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 08:24 AM - edited 09-07-2022 08:25 AM
@Leftz using "aaa authentication login LOGIN local" would mean you would login using local authentication not TACACS.
LOGIN = the method list name
local = a local user account on the router/switch.
To use TACACS under the vty lines
aaa authentication login ISE-MLIST group ABC local
!
line vty 0 4
login authentication ISE-MLIST
UPDATE - Sorry I mis-understood your initial request, I thought you wanted to delete the TACACS group ABC. You can use "group tacacs+" or "group ABC".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 08:23 AM
yes I got it. thanks. the below command can be used to associate with server group, right?
aaa authentication login default tacacs+ group ABC local
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 08:30 AM
@Leftz that will use TACACS on the default method list, with local authentication if TACACS is down.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 08:56 AM - edited 09-07-2022 08:57 AM
Thanks for your reply. One more question, do we have a command to test or confirm the configured aaa system can work well in switch /router level?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 09:04 AM
@Leftz well once you apply it to the VTY line just open another session to the router/switch and login to test.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-07-2022 09:08 AM
No you can not because you use local username/password,
The sw will try use server failed and failover to local.
Note:- recommended not use this way for console
