01-29-2020 08:13 AM
Hi All
After configuring tacacs in 3560 switch i am not able to login using AD credentials to switch but i can still able to login through local ....kindly help here
find the configuration
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login NOAUTH none
aaa authentication enable default none
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
tacacs-server host xx
tacacs-server host xx
tacacs-server directed-request
tacacs-server key xx
Note: recent changes we have downgraded the switch to N-1
Jan 29 15:48:01.413: AAA: parse name=tty0 idb type=-1 tty=-1
Jan 29 15:48:01.413: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Jan 29 15:48:01.413: AAA/MEMORY: create_user (0x4B32EF4) user='NULL' ruser='INDUSDR-DS01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
Jan 29 15:48:01.413: tty0 AAA/AUTHOR/CMD (3760399370): Port='tty0' list='' service=CMD
Jan 29 15:48:01.413: AAA/AUTHOR/CMD: tty0 (3760399370) user=''
Jan 29 15:48:01.413: tty0 AAA/AUTHOR/CMD (3760399370): send AV service=shell
Jan 29 15:48:01.413: tty0 AAA/AUTHOR/CMD (3760399370): send AV cmd=exit
Jan 29 15:48:01.413: tty0 AAA/AUTHOR/CMD (3760399370): send AV cmd-arg=<cr>
Jan 29 15:48:01.413: tty0 AAA/AUTHOR/CMD(3760399370): found list "default"
Jan 29 15:48:01.413: tty0 AAA/AUTHOR/CMD (3760399370): Method=tacacs+ (tacacs+)
Jan 29 15:48:01.413: %AAA/AUTHOR/TAC+: (3760399370): no username in request
Jan 29 15:48:01.413: AAA/AUTHOR/TAC+: (3760399370): send AV service=shell
Jan 29 15:48:01.413: AAA/AUTHOR/TAC+: (3760399370): send AV cmd=exit
Jan 29 15:48:01.413: AAA/AUTHOR/TAC+: (3760399370): send AV cmd-arg=<cr>
Jan 29 15:48:01.413: TAC+: Using default tacacs server-group "tacacs+" list.
Jan 29 15:48:01.413: TAC+: Opening TCP/IP to xx.xx.xx.xx/49 timeout=5
Jan 29 15:48:01.463: TAC+: Opened TCP/IP handle 0x4B3386C to xx.xx.xx.xx/49 using source xx.xx.xx.xx
Jan 29 15:48:01.463: TAC+: xx.xx.xx.xx (3760399370) AUTHOR/START queuedCommand authorization failed.
INDUSDR-DS01(config)#
Jan 29 15:48:06.463: TAC+: (3760399370) AUTHOR/START -- TIMED OUT
Jan 29 15:48:06.463: TAC+: (3760399370) AUTHOR/START processed
Jan 29 15:48:06.463: TAC+: Closing TCP/IP 0x4B3386C connection to xx.xx.xx.xx/49
Jan 29 15:48:06.463: TAC+: Using default tacacs server-group "tacacs+" list.
Jan 29 15:48:06.463: TAC+: Opening TCP/IP to xx.xx.xx.xx/49 timeout=5
Jan 29 15:48:06.513: TAC+: Opened TCP/IP handle 0x4B33D70 to xx.xxx.xx.xx/49 using source xx.xx.xx.xx
Jan 29 15:48:06.513: TAC+: xx.xx.xx.xx (3760399370) AUTHOR/START queued
Jan 29 15:48:06.715: TAC+: (3760399370) AUTHOR/START processed
Jan 29 15:48:06.715: TAC+: (-534567926): received author response status = FAIL
Jan 29 15:48:06.715: TAC+: Closing TCP/IP 0x4B33D70 connection to xx.xx.xx.xx/49
Jan 29 15:48:06.715: AAA/AUTHOR (3760399370): Post authorization status = FAIL
Jan 29 15:48:06.715: AAA/MEMORY: free_user (0x4B32EF4) user='NULL' ruser='INDUSDR-DS01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
01-31-2020 07:35 AM
my guess is you have configured AUTHENTICATION
so user/password is checked against AD
but not (or incomplete) AUTHORIZATION
so even when authenticated you are not authorized to access the CLI of the switch
-> look in the tacacs+ server logs and adjust the config
01-31-2020 07:57 AM
Make sure that you configured your "line vty" to authenticate against that group.
Check this out for a reference:
https://community.cisco.com/t5/policy-and-access/tacacs-for-vty-console/td-p/2359032
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide