try this

amit bhatnagar · ‎02-22-2017

hello ,

I have new 3850 stack added to network

we have local enable secret on the device which works fine even for remote management.

But when I add the tactics key the tactics credeteinals takes me to user level but doesnt work on enable level .

even local credentials don't work when we have tacacs key present .

below is the config

enable secret 5 xxxxx.

!

aaa new-model

!

aaa authentication attempts login 20

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

aaa session-id common

tacacs-server host x.x.x.x

tacacs-server host y.y.y.y

tacacs-server timeout 10

tacacs-server directed-request

ip tacacs source-interface Vlan x

line vty 0 4

access-class x in

exec-timeout 15 0

logging synchronous

transport input ssh

transport output telnet ssh

Mark Malone · ‎02-22-2017

try this

aaa authentication attempts login 20

aaa authentication login default group tacacs+ local enable

aaa authentication enable default group tacacs+ local

aaa authorization exec default group tacacs+ local

.................................

heres a working tacacs off my 38s , you could tweak either

aaa group server tacacs+ xtacacs
server-private x.x.x.x key 7 151F4E36366F237D2A64637F404632483002187F7D
server-private x.x.x.x key 7 141A57313E412272267F65687152235D3255177E76
ip vrf forwarding Mgmt-vrf
ip tacacs source-interface GigabitEthernet0/0
!
aaa authentication login default group xtacacs local enable
aaa authentication enable default group xtacacs enable
aaa authorization exec default group xtacacs local
aaa accounting exec default start-stop group xtacacs
aaa accounting commands 0 default start-stop group xtacacs
aaa accounting commands 1 default start-stop group xtacacs
aaa accounting commands 15 default start-stop group xtacacs
aaa accounting network default start-stop group xtacacs
aaa accounting connection default start-stop group xtacacs
aaa accounting system default start-stop group xtacacs
!

3850 tacacs not accepting enable mode