01-27-2016 06:18 AM
Peace, i copied a working configuration of tacacs from a 1921 router into a 2921 router but it is not working. It fails to authenticate from tacacs and when i try to othenticate locally, the login just hangs and hogs a vty session.
here is the configuration:
aaa group server tacacs+ RUP
aaa authentication login default group RUP local
aaa authentication login no_tacacs enable
aaa authentication enable default group RUP enable
aaa authorization console
aaa authorization exec default group RUP group RUP local
then there are the command authorizations and accounting.
tacacs-server host 10.10.10.10 key 7 104D010A0617190E15
tacacs-server directed-request
on the old router, below the line
aaa group server tacacs+ RUP
there was
server 172.18.2.5
the tacacs server can be pinged from the router and the network device is defined on the tacacs server. Moreover after enterring
tacacs-server host 10.10.10.10 key 7 104D010A0617190E15
it says the command will soon be depricated and to use
tacacs server WORD
instead. anyone configured this before and knows?
01-27-2016 06:38 AM
Heres a working aaa for router with new style config
This is how it should be just fill in your key , ip address and group name
This will allow tacacs and when tacacs is not working it will revert back to local username access
************************************************************************
aaa group server tacacs+ xxxx
server-private 172.x.x.x key xxxxxxxxxx
ip tacacs source-interface vlanxxx
aaa authentication login default group xxxx local enable
aaa authentication enable default group xxxx enable
aaa authorization exec default group xxxx local
aaa accounting exec default start-stop group xxxx
aaa accounting commands 0 default start-stop group xxxx
aaa accounting commands 1 default start-stop group xxxx
aaa accounting commands 15 default start-stop group xxxx
aaa accounting network default start-stop group xxxx
aaa accounting connection default start-stop group xxxx
aaa accounting system default start-stop group xxxx
01-28-2016 06:17 AM
thanks for the reply, the ip address is present in aaa, the problem was that the tacacs server did not have the ip of the tunnel interface added to the router. sh tcp... revealed the problem, there was a session that timed out with the mentioned address.
01-28-2016 06:27 AM
ah good least its sorted :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide