- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2018 02:22 AM - edited 03-05-2019 10:30 AM
Hi
We are trying to make Managements access authentication method via TACACS only , and local username as standby option if the switch fail to reach TACACS server , but we can see local username method is working even when TACACS server is available and working fine . Kindly find the below configuration commands
switch PID: WS-C3850-24P
Version: 03.03.03SE
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
tacacs-server host 10.1.80.61 key aruba123
radius-server host 10.1.80.61 key aruba123
!
!
!
!
line con 0
authorization commands 15 quadmin
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input all
line vty 5 15
COMP-GF-C02-AS2#show tacacs
Tacacs+ Server - public :
Server address: 10.1.80.61
Server port: 49
Socket opens: 105
Socket closes: 105
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 133
Total Packets Recv: 133
Solved! Go to Solution.
- Labels:
-
Other Routing
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2018 02:57 AM
Applied but Still not solving the issue , and can't see the command in the running-config !
COMP-GF-C02-AS2(config)#li
COMP-GF-C02-AS2(config)#line vty 0 4
COMP-GF-C02-AS2(config-line)#login auth
COMP-GF-C02-AS2(config-line)#login authentication def
COMP-GF-C02-AS2(config-line)#login authentication default
COMP-GF-C02-AS2(config-line)#do sh run | b line vty 0 4
line vty 0 4
transport input all
line vty 5 15
!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2018 03:05 AM
I see actually you are using default method list so that will be used without the command having to be added. This is why it most likely doesn't show.
I would remove the following from the vty line
authorization commands 15 quadmin

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2018 03:22 AM
Hello,
your vty lines are missing some things:
line vty 0 4
exec-timeout 15 0
password cisco
authorization exec default
accounting exec default
login authentication default
transport input all
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2018 02:50 AM
Under the vty lines you can add
Login authentication default
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2018 02:57 AM
Applied but Still not solving the issue , and can't see the command in the running-config !
COMP-GF-C02-AS2(config)#li
COMP-GF-C02-AS2(config)#line vty 0 4
COMP-GF-C02-AS2(config-line)#login auth
COMP-GF-C02-AS2(config-line)#login authentication def
COMP-GF-C02-AS2(config-line)#login authentication default
COMP-GF-C02-AS2(config-line)#do sh run | b line vty 0 4
line vty 0 4
transport input all
line vty 5 15
!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2018 03:05 AM
I see actually you are using default method list so that will be used without the command having to be added. This is why it most likely doesn't show.
I would remove the following from the vty line
authorization commands 15 quadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2018 03:14 AM
May also be worth running aaa and tacacs debugs during a login attempt.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2018 03:22 AM
Hello,
your vty lines are missing some things:
line vty 0 4
exec-timeout 15 0
password cisco
authorization exec default
accounting exec default
login authentication default
transport input all
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2018 03:58 AM
Thanks Everyone for your support, the configuration was correct and there was issue with TACACS server, and now its working fine.
