Solved: AAA Tacacs configuration

concept-trainer.com · ‎03-06-2019

Hi,

I have configured AAA with Tacacs server but unable to authenticate any user from ACS4.2 Server. network connectivity is ok.

Cisco Server ACS 4.2

Cisco WS-C3850-E

configuration uploaded for your reference please help on this to resolve the issue.

###################################

aaa new-model

aaa group server tacacs+ ACS42GROUP
server name ACS42
!
aaa authentication login default group ACS42 local
aaa authorization exec default group tacacs+ ACS42 local if-authenticated

tacacs server ACS42
address ipv4 10.0.2.215
key cisco

###################################

# test aaa group tacacs+ cisco cisco legacy

No authoritative response from any server.

.Mar 6 10:00:49.474: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*
.Mar 6 10:04:41.930: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*
.Mar 6 10:09:57.833: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*
.Mar 6 10:11:21.007: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*

Regards,

Noor.

paul driver · ‎03-06-2019

Hello

Correct tacacs takes precedence so you need to initially log back in using tacacs then apply the configuration I posted and then you should be able to access the device using local database credentials even when tacacs is enabled

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎03-06-2019

Hello,

at first glance it looks like you need to refer to the server group rather than the server itself. So instead of:

aaa new-model

aaa group server tacacs+ ACS42GROUP
server name ACS42
!
aaa authentication login default group ACS42 local
aaa authorization exec default group tacacs+ ACS42 local if-authenticated

try:

aaa new-model

aaa group server tacacs+ ACS42GROUP
server name ACS42
!
aaa authentication login default group ACS42GROUP local
aaa authorization exec default group tacacs+ ACS42GROUP local if-authenticated

concept-trainer.com · ‎03-06-2019

Hi,

I have followed the above instructions and now AAA authentication working fine via ACS Server but now problem is that local authentication is not working as i entered local username and password but its showing authentication failed.

please advise what is the remedy.

Regards,

Noor.

paul driver · ‎03-06-2019

Hello

@concept-trainer.com wrote:

Hi,

I have followed the above instructions and now AAA authentication working fine via ACS Server but now problem is that local authentication is not working as i entered local username and password but its showing authentication failed.

please advise what is the remedy.

This would be correct as now the switch will prefer the tacacs authentication and not the local database, One way around this is to rotary a vty line of your choice and specify local AAA access for that particular line then you'll still be able to access locally even when tacacs is enabled

example:

username stan privilege 15 secret stan
aaa authentication login notacacs10 local
aaa authorization exec notacacs20 local if-authenticated

line vty 15
rotary 1
login authentication notacacs10
authorisation exec notacacs20

telnet xxxxx 3001

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

concept-trainer.com · ‎03-06-2019

Hi

This is didn't resolve my requirement as I have one user on local database which us Cisco and password Cisco with privilege 15

The problem is that tacacs authenticating user's and in the meantime I entered local user Cisco and password Cisco which doesn't work.

It seems the switch authenticating Cisco user from tacacs server database and not checking in local database that's why I am getting this error.

If tacacs server is live but the user's exist only on local database when it will not work as tacacs server is live...... is it correct ????

paul driver · ‎03-06-2019

Hello

Correct tacacs takes precedence so you need to initially log back in using tacacs then apply the configuration I posted and then you should be able to access the device using local database credentials even when tacacs is enabled

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

concept-trainer.com · ‎03-06-2019

Hi,

Thanks for your help as issue has resolved now.

Regards,

Noor.

balaji.bandi · ‎03-06-2019

Do you have local user setup ? what is the logs you see on switch and ACS Serer ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎03-06-2019

The configuration being used

aaa authentication login default group ACS42GROUP local

specifies that the tacacs server is preferred and that local authentication will be used in situations where the tacacs server is not available. When the original poster was testing local authentication was anything done to prevent authentication via tacacs?

HTH

Rick

HTH

Rick

concept-trainer.com · ‎03-06-2019

Hi,

Is they anything else kindly advise according to my first post in which all.commands are mentioned.

Regards,

concept-trainer.com · ‎03-06-2019

Hi,

Just showing authentication failed while.username and password is correct.

Regards,

Noor.