Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1518
Views
0
Helpful
9
Replies

TACACS issue

alycia.davis.ctr
Level 1
Level 1

‎12-07-2021 07:24 AM

Hi Team

 

When I try logging into my Cisco switch (2960), it does not prompt me for TACACS password. It prompts me for the localadmin password. I have tried comparing the "sho run" config with 2 different 2960 switches and havent come up with anything. The configs are shown below:

 

 

aaa group server tacacs+ TAC_GROUP_1
server name TACACS_1
server name TACACS_2


tacacs server TACACS_1
address ipv4 xxxxxxxxxx
key 7 xxxxxxxxxxxxxx
timeout 3


tacacs server TACACS_2
address ipv4 xxxxxxxxxxx
key 7 xxxxxxxxxxxx
timeout 3


tacacs-server directed-request


aaa authentication login default group TAC_GROUP_1 local
aaa authentication enable default group TAC_GROUP_1 enable
aaa authentication dot1x default group RADGRP_1
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group TAC_GROUP_1 if-authenticated
aaa authorization commands 15 default group TAC_GROUP_1 if-authenticated
aaa authorization network default group RADGRP_1
aaa accounting dot1x default start-stop group RADGRP_1
aaa accounting exec default start-stop group TAC_GROUP_1
aaa accounting commands 1 default start-stop group TAC_GROUP_1
aaa accounting commands 15 default start-stop group TAC_GROUP_1
aaa accounting system default start-stop group RADGRP_1

Labels:
0 Helpful
9 Replies 9

Richard Burts
Hall of Fame
Hall of Fame

‎12-07-2021 08:42 AM

There are several things that might cause this. Here are a few of them which you can evaluate:

- IP connectivity between your switch and the Tacacs server. Can your switch ping the IP addresses of the Tacacs servers? The bit of config that you posted does not indicate any configuration for Tacacs source address. If your config does specify Tacacs source address then source the ping from that address.

- are the Tacacs servers correctly configured with your switch as a client?

- do the Tacacs servers recognize a request from your switch? Check the logs of the Tacacs servers for any mention of your switch. If there are log entries what do that indicate about how the server reacted to it?

- check the output of the command 

show tacacs

on your switch. What does it say about the status of the Tacacs servers?

- on the switch turn on debug for aaa authentication and for tacacs. Attempt a login and see what is in the debug output.

HTH

Rick
0 Helpful

alycia.davis.ctr
Level 1
Level 1
In response to Richard Burts

‎12-09-2021 06:05 AM

Hi Team

 

Thanks for your reply. Here is the ouput from sho log after doing a debug aaa authentication and debug tacacs

 

Dec 9 13:37:55: %SEC-6-IPACCESSLOGNP: list 99 permitted 0 138.xxx.xxx.xxx -> 0.0.0.0, 2 packets
Dec 9 14:00:36: %SYS-6-LOGOUT: User localadmin has exited tty session 1(138. xxx.xxx.xxx)
Dec 9 14:00:55: %SEC-6-IPACCESSLOGNP: list 99 permitted 0 138.xxx-> 0.0.0.0, 2 packets
Dec 9 14:00:55: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: localadmin] [Source: 138.xxx] [localport: 22] at 14:00:55 utc Thu Dec 9 2021
Dec 9 14:01:09: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by localadmin on vty0 (138.xxxx)
Dec 9 14:01:09: %PARSER-5-CFGLOG_LOGGEDCMD: User:localadmin logged command:!exec: enable

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎12-07-2021 02:31 PM

adding to another post.

 

if you fall back to the local account means, either device is not able to reach TACACS, or the device IP is not added to TACACS.

Are you able to ping from Switch to TACACS Server, a basic step for testing?

Second, i agree with @Richard Burts  suggestion - show tactics show you establish connections and attempts

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

alycia.davis.ctr
Level 1
Level 1
In response to balaji.bandi

‎12-09-2021 05:24 AM

Hi Balaji

I appreciate the feedback.

-Yes, I was able to ping from the switch to the TACACS server successfully
-See below the output from "sho tacacs"


sho tacacs

Tacacs+ Server - public :
Server name: TACACS_1
Server address: xxxx
Server port: 49
Socket opens: 569
Socket closes: 569
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 565
Total Packets Recv: 0


Tacacs+ Server - public :
Server name: TACACS_2
Server address: xxxx
Server port: 49
Socket opens: 105
Socket closes: 105
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 104
Total Packets Recv: 0

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to alycia.davis.ctr

‎12-09-2021 05:57 AM

Hello,

 

post the full running configuration (sh run) of your switch...

0 Helpful

alycia.davis.ctr
Level 1
Level 1
In response to Georg Pauwen

‎12-09-2021 06:13 AM

Hi Georg

 

I cant post the running config - I work for the government. What is the most important part of the running config and I will see if I can post that?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to alycia.davis.ctr

‎12-09-2021 07:57 AM

I can not speak for Georg but I would guess that he might say the most important was section aaa. But most of that was in the original post. He might want to see the configuration for the vty lines to see if there was anything there which might impact logging in. He might want to see configuration of interfaces, especially to see if there were any access lists or some type of policy implemented that might impact Tacacs. Perhaps I should just let Georg speak for himself.

I am surprised at the debug output. What I am seeing seems like output of aaa authentication but I am not seeing any output that looks like tacacs. 

Am I correct that access list 99 is applied as access-class on the vty to control what IP addresses are permitted to login?

It is good to know that you are able to ping the tacacs server. Is it possible that the switch has more than one interface which might send traffic to the tacacs server? If so can you make sure that the interface which is sending the tacacs traffic is also the interface used for the ping?

Thank you for the output of show tacacs. It does show opens and closes. This part is interesting

Failed Connect Attempts: 0
Total Packets Sent: 565
Total Packets Recv: 0

If Failed Connect Attempts is zero and packets sent is 565 why is packets received zero?

I would suggest that a next step would be to check the logs of the Tacacs server (or ask the Tacacs admin to check the logs) and see if there are any entries in the logs that relate to your switch.

HTH

Rick
0 Helpful

Georg Pauwen
VIP
VIP
In response to Richard Burts

‎12-09-2021 07:59 AM

@Richard Burts VTY lines...that is mostly what I am looking for indeed ! But maybe there are other things as well, so in any case, seeing the full config would be useful.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to alycia.davis.ctr

‎12-09-2021 08:01 AM

what VLAN can the TACACS reachable ?

 

Total Packets Recv: 0

 

ip tacacs-server source-interface vlan  or interface 

 

and run some debug :

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/200467-Troubleshoot-TACACS-Authentication-Issue.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card