Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
585
Views
0
Helpful
2
Replies

After configuring Tacacs centralized credentials not working

meshekar51
Level 1
Level 1

‎01-29-2020 08:13 AM

Hi All

 

After configuring tacacs in 3560 switch i am not able to login using AD credentials to switch but i can still able to login through local  ....kindly help here

 

find the configuration

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login NOAUTH none
aaa authentication enable default none
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
tacacs-server host xx
tacacs-server host xx
tacacs-server directed-request
tacacs-server key xx

 

Note: recent changes we have downgraded the switch to N-1 


Jan 29 15:48:01.413: AAA: parse name=tty0 idb type=-1 tty=-1
Jan 29 15:48:01.413: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
Jan 29 15:48:01.413: AAA/MEMORY: create_user (0x4B32EF4) user='NULL' ruser='INDUSDR-DS01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
Jan 29 15:48:01.413: tty0 AAA/AUTHOR/CMD (3760399370): Port='tty0' list='' service=CMD
Jan 29 15:48:01.413: AAA/AUTHOR/CMD: tty0 (3760399370) user=''
Jan 29 15:48:01.413: tty0 AAA/AUTHOR/CMD (3760399370): send AV service=shell
Jan 29 15:48:01.413: tty0 AAA/AUTHOR/CMD (3760399370): send AV cmd=exit
Jan 29 15:48:01.413: tty0 AAA/AUTHOR/CMD (3760399370): send AV cmd-arg=<cr>
Jan 29 15:48:01.413: tty0 AAA/AUTHOR/CMD(3760399370): found list "default"
Jan 29 15:48:01.413: tty0 AAA/AUTHOR/CMD (3760399370): Method=tacacs+ (tacacs+)
Jan 29 15:48:01.413: %AAA/AUTHOR/TAC+: (3760399370): no username in request
Jan 29 15:48:01.413: AAA/AUTHOR/TAC+: (3760399370): send AV service=shell
Jan 29 15:48:01.413: AAA/AUTHOR/TAC+: (3760399370): send AV cmd=exit
Jan 29 15:48:01.413: AAA/AUTHOR/TAC+: (3760399370): send AV cmd-arg=<cr>
Jan 29 15:48:01.413: TAC+: Using default tacacs server-group "tacacs+" list.
Jan 29 15:48:01.413: TAC+: Opening TCP/IP to xx.xx.xx.xx/49 timeout=5
Jan 29 15:48:01.463: TAC+: Opened TCP/IP handle 0x4B3386C to xx.xx.xx.xx/49 using source xx.xx.xx.xx
Jan 29 15:48:01.463: TAC+: xx.xx.xx.xx (3760399370) AUTHOR/START queuedCommand authorization failed.

INDUSDR-DS01(config)#
Jan 29 15:48:06.463: TAC+:  (3760399370) AUTHOR/START -- TIMED OUT
Jan 29 15:48:06.463: TAC+: (3760399370) AUTHOR/START processed
Jan 29 15:48:06.463: TAC+: Closing TCP/IP 0x4B3386C connection to xx.xx.xx.xx/49
Jan 29 15:48:06.463: TAC+: Using default tacacs server-group "tacacs+" list.
Jan 29 15:48:06.463: TAC+: Opening TCP/IP to xx.xx.xx.xx/49 timeout=5
Jan 29 15:48:06.513: TAC+: Opened TCP/IP handle 0x4B33D70 to xx.xxx.xx.xx/49 using source xx.xx.xx.xx
Jan 29 15:48:06.513: TAC+: xx.xx.xx.xx (3760399370) AUTHOR/START queued
Jan 29 15:48:06.715: TAC+: (3760399370) AUTHOR/START processed
Jan 29 15:48:06.715: TAC+: (-534567926): received author response status = FAIL
Jan 29 15:48:06.715: TAC+: Closing TCP/IP 0x4B33D70 connection to xx.xx.xx.xx/49
Jan 29 15:48:06.715: AAA/AUTHOR (3760399370): Post authorization status = FAIL
Jan 29 15:48:06.715: AAA/MEMORY: free_user (0x4B32EF4) user='NULL' ruser='INDUSDR-DS01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=0 vrf= (id=0)

Labels:
0 Helpful
2 Replies 2

pieterh
VIP
VIP

‎01-31-2020 07:35 AM

my guess is you have configured AUTHENTICATION

so user/password is checked against AD

but not (or incomplete) AUTHORIZATION

so even when authenticated you are not authorized to access the CLI of the switch

-> look in the tacacs+ server logs and adjust the config

0 Helpful

Nadav
Level 7
Level 7

‎01-31-2020 07:57 AM

Make sure that you configured your "line vty" to authenticate against that group.

Check this out for a reference:

https://community.cisco.com/t5/policy-and-access/tacacs-for-vty-console/td-p/2359032 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card