03-06-2019 02:24 AM
Hi,
I have configured AAA with Tacacs server but unable to authenticate any user from ACS4.2 Server. network connectivity is ok.
Cisco Server ACS 4.2
Cisco WS-C3850-E
configuration uploaded for your reference please help on this to resolve the issue.
###################################
aaa new-model
aaa group server tacacs+ ACS42GROUP
server name ACS42
!
aaa authentication login default group ACS42 local
aaa authorization exec default group tacacs+ ACS42 local if-authenticated
tacacs server ACS42
address ipv4 10.0.2.215
key cisco
###################################
# test aaa group tacacs+ cisco cisco legacy
No authoritative response from any server.
.Mar 6 10:00:49.474: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*
.Mar 6 10:04:41.930: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*
.Mar 6 10:09:57.833: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*
.Mar 6 10:11:21.007: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*
Regards,
Noor.
Solved! Go to Solution.
03-06-2019 11:34 AM - edited 03-06-2019 11:36 AM
Hello
Correct tacacs takes precedence so you need to initially log back in using tacacs then apply the configuration I posted and then you should be able to access the device using local database credentials even when tacacs is enabled
03-06-2019 04:23 AM
Hello,
at first glance it looks like you need to refer to the server group rather than the server itself. So instead of:
aaa new-model
aaa group server tacacs+ ACS42GROUP
server name ACS42
!
aaa authentication login default group ACS42 local
aaa authorization exec default group tacacs+ ACS42 local if-authenticated
try:
aaa new-model
aaa group server tacacs+ ACS42GROUP
server name ACS42
!
aaa authentication login default group ACS42GROUP local
aaa authorization exec default group tacacs+ ACS42GROUP local if-authenticated
03-06-2019 04:36 AM
Hi,
I have followed the above instructions and now AAA authentication working fine via ACS Server but now problem is that local authentication is not working as i entered local username and password but its showing authentication failed.
please advise what is the remedy.
Regards,
Noor.
03-06-2019 06:51 AM - edited 03-06-2019 07:33 AM
Hello
@concept-trainer.com wrote:
Hi,
I have followed the above instructions and now AAA authentication working fine via ACS Server but now problem is that local authentication is not working as i entered local username and password but its showing authentication failed.
please advise what is the remedy.
This would be correct as now the switch will prefer the tacacs authentication and not the local database, One way around this is to rotary a vty line of your choice and specify local AAA access for that particular line then you'll still be able to access locally even when tacacs is enabled
example:
username stan privilege 15 secret stan
aaa authentication login notacacs10 local
aaa authorization exec notacacs20 local if-authenticated
line vty 15
rotary 1
login authentication notacacs10
authorisation exec notacacs20
telnet xxxxx 3001
03-06-2019 11:22 AM
Hi
This is didn't resolve my requirement as I have one user on local database which us Cisco and password Cisco with privilege 15
The problem is that tacacs authenticating user's and in the meantime I entered local user Cisco and password Cisco which doesn't work.
It seems the switch authenticating Cisco user from tacacs server database and not checking in local database that's why I am getting this error.
If tacacs server is live but the user's exist only on local database when it will not work as tacacs server is live...... is it correct ????
03-06-2019 11:34 AM - edited 03-06-2019 11:36 AM
Hello
Correct tacacs takes precedence so you need to initially log back in using tacacs then apply the configuration I posted and then you should be able to access the device using local database credentials even when tacacs is enabled
03-06-2019 08:17 PM
Hi,
Thanks for your help as issue has resolved now.
Regards,
Noor.
03-06-2019 06:55 AM
Do you have local user setup ? what is the logs you see on switch and ACS Serer ?
03-06-2019 07:04 AM
The configuration being used
aaa authentication login default group ACS42GROUP local
specifies that the tacacs server is preferred and that local authentication will be used in situations where the tacacs server is not available. When the original poster was testing local authentication was anything done to prevent authentication via tacacs?
HTH
Rick
03-06-2019 11:31 AM
Hi,
Is they anything else kindly advise according to my first post in which all.commands are mentioned.
Regards,
03-06-2019 11:28 AM
Hi,
Just showing authentication failed while.username and password is correct.
Regards,
Noor.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide