Re: the new Tacacs+ for Switches

Bobby Roberts · ‎11-17-2011

I just upgraded my IOS to the latest but now the way i was inputing my Tacacs+ info is not working.

conf t

!

enable secret*****

username admin privilege 15 password 0 *******

!

aaa new-model

!

aaa authentication login default group tacacs+ enable local

!

aaa authentication enable default group tacacs+ enable

!

tacacs-server host*.*.*.* key *******

!

line con 0

login authentication default

!

line vty 0 4

login authentication default

!

line vty 5 15

login authentication default

!

end

But now it looks as if I need to set this up a bit diffrently, has anyone setup the new way? any pointers?

Nicolas Darchis · ‎11-18-2011

I know that you need to define the tacacs server a different way.

Tacacs server host (hit enter here)

Then you define the server ipv4/ipv6 address and credentials.

Nico

andrestruwe · ‎11-18-2011

Hello,

I do have the same problem with the TACACS+ authentication after upgrading the IOS on my Catalyst C2960G.

It says that the command "tacacs-server host" is deprecated soon. I tried to reconfigure my startup-config according to this link: http://slaptijack.com/networking/new-style-tacacs-configuration/

Although my Switch is accepting the new command a warning message occurs after rebooting it:

%AAAA-4-NOSERVER: Warning: Server acs1.teas.bessy.de is not defined.

Here is an excerpt of my config:

---------------------------------------------------------------------------------

aaa new-model

!

aaa group server tacacs+ tac_admin

server name acs1

!

aaa authentication login default group tac_admin local

aaa authorization exec default group tac_admin local

!

tacacs server acs1

address ipv4 192.168.246.69

key 7 #############

---------------------------------------------------------------------------------

I don't know how to solve the problem.

Can anybody help?

André

Bobby Roberts · ‎11-18-2011

Usualy I update once i've found the fix. or in other words I got it to work running this.

CONF T

aaa new model

tacacs server tacacs

address ipv4 *.*.*.*

key

exit

aaa authentication login default group tacacs+ enable local

aaa authentication login console group tacacs+ enable local

aaa authentication enable default group tacacs+ enable

But this didn't work right away, I acutally had to NO out the previous

tacacs-server IP ADDRESS PORT KEY

that was left from the old IOS. Once I NO'd out that, it worked like a charm

andrestruwe · ‎11-21-2011

@Bobby Roberts,

thank you for your reply.

I'd already exchanged the old "tacacs-server IP ADDRESS PORT KEY" command with the new one like on the example given on this page: http://slaptijack.com/networking/new-style-tacacs-configuration/

So there isn't an old command left. Maybe there is something wrong in my config but I couldn't find any configuration example from Cisco.

Can't anybody help?

andrestruwe · ‎11-24-2011

Although the warning message:

%AAAA-4-NOSERVER: Warning: Server acs1.teas.bessy.de is not defined.

still appears while rebooting the tacacs+ authentication works.

Bobby Roberts · ‎11-25-2011

Andre - Can you e-mail me your whole config, Ill paste it on a switch here and see where the problem is. Bobby@Bobby4Hire.com

andrestruwe · ‎11-28-2011

Hello Bobby,

I am sorry but I can't send you the whole config because it is a configuration of my company and the necessary part is this one:

aaa new-model

!

aaa group server tacacs+ tac_admin

server name acs1

!

aaa authentication login default group tac_admin local

aaa authorization exec default group tac_admin local

!

tacacs server acs1

address ipv4 192.168.246.69

key 7 #############

Despite this thanks for your help .