Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1255
Views
5
Helpful
3
Replies

problem with tacacs+ on cisco router 2921

Majed Zouhairy
Level 1
Level 1

‎01-27-2016 06:18 AM

Peace, i copied a working configuration of tacacs from a 1921 router into a 2921 router but it is not working. It fails to authenticate from tacacs and when  i try to othenticate locally, the login just hangs and hogs a vty session.

here is the configuration:

aaa group server tacacs+ RUP

aaa authentication login default group RUP local
aaa authentication login no_tacacs enable
aaa authentication enable default group RUP enable
aaa authorization console
aaa authorization exec default group RUP group RUP local

then there are the command authorizations and accounting.

tacacs-server host 10.10.10.10 key 7 104D010A0617190E15
tacacs-server directed-request

on the old router, below the line

aaa group server tacacs+ RUP

there was

   server 172.18.2.5

the tacacs server can be pinged from the router and the network device is defined on the tacacs server. Moreover after enterring

tacacs-server host 10.10.10.10 key 7 104D010A0617190E15

it says the command will soon be depricated and to use

tacacs server  WORD

instead. anyone configured this before and knows?

Labels:
0 Helpful
3 Replies 3

Mark Malone
VIP Alumni
VIP Alumni

‎01-27-2016 06:38 AM

Heres a working aaa for router with new style config

This is how it should be just fill in your key , ip address and group name

This will allow tacacs and when tacacs is not working it will revert back to local username access

************************************************************************

aaa group server tacacs+ xxxx
server-private 172.x.x.x  key xxxxxxxxxx
ip tacacs source-interface vlanxxx
               
aaa authentication login default group xxxx local enable
aaa authentication enable default group xxxx enable
aaa authorization exec default group xxxx local
aaa accounting exec default start-stop group xxxx
aaa accounting commands 0 default start-stop group xxxx
aaa accounting commands 1 default start-stop group xxxx
aaa accounting commands 15 default start-stop group xxxx
aaa accounting network default start-stop group xxxx
aaa accounting connection default start-stop group xxxx
aaa accounting system default start-stop group xxxx

Majed Zouhairy
Level 1
Level 1
In response to Mark Malone

‎01-28-2016 06:17 AM

thanks for the reply, the ip address is present in aaa, the problem was that the tacacs server did not have the ip of the tunnel interface added to the router. sh tcp... revealed the problem, there was a session that timed out with the mentioned address.

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Majed Zouhairy

‎01-28-2016 06:27 AM

ah good least its sorted :)

0 Helpful
Customers Also Viewed These Support Documents