Hello there,

Is there anyone who can enable command authorization with tacacs+ server in Small Business Switch SG500 with the latest OS (1.4.7.5) ?

The TACACS+ server is running fine with authentication/authorization for Catalyst 3850.

But the this server work only for authentication... not authorization for Small Business Switch.

If I run the TACACS+ server with debug option, then Small Business Server never send authorization command to the TACACS+ server.

root@jpmonitor01# /usr/local/sbin/tac_plus -C /usr/local/etc/tac_plus.conf -g -d 32768
Reading config
Version F4.0.4.28 Initialized 1
tac_plus server F4.0.4.28 starting
socket FD 4 AF 28
socket FD 5 AF 2
uid=559 euid=559 gid=559 egid=559 s=677478864
connect from 10.100.255.70 [10.100.255.70]
Can't open acct file /var/log/tac_plus.acct -- Permission denied
connect from 10.100.255.70 [10.100.255.70]
login query for 'hmiyoshi' port unknown-port from 10.100.255.70 accepted
connect from 10.100.255.70 [10.100.255.70]
10.100.255.70: Cannot lock /var/log/tac_plus.acct
connect from 10.100.255.70 [10.100.255.70]
10.100.255.70: Cannot lock /var/log/tac_plus.acct
connect from 10.100.255.66 [10.100.255.66]
login query for 'hmiyoshi' port tty2 from 10.100.255.66 accepted
connect from 10.100.255.66 [10.100.255.66]
authorization query for 'hmiyoshi' tty2 from 10.100.255.66 accepted
connect from 10.100.255.66 [10.100.255.66]
authorization query for 'hmiyoshi' tty2 from 10.100.255.66 rejected
connect from 10.100.255.66 [10.100.255.66]
authorization query for 'hmiyoshi' tty2 from 10.100.255.66 accepted
connect from 10.100.255.70 [10.100.255.70]
10.100.255.70: Cannot lock /var/log/tac_plus.acct

The IP address 10.100.255.70 is Small Business Switch and 10.100.255.66 is Catalyst 3850.

The aaa command in SG500 is like this.

aaa authentication login authorization SSH tacacs local
aaa authentication enable authorization SSH tacacs enable

Of course I logon to this switch with SSH ..

Any information will be highly appreciated.

Miyoshi