C3650 TACACS Issue

Euphrosyne · ‎07-03-2018

Hi Team. I have some problem about TACACS configuration

i plan to replace C2960 to C3650.

I moved the TACACS configuration of the C2960 to C3650 as it was, but I was unable to login via Serial Console.

I do not know which part is the problem at present. I need help.

here`s configuration about TACACS.

aaa authentication login default group tacacs+ line
aaa authentication login NO_AUTHENT none
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ none
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 default group tacacs+ none
aaa authorization commands 15 NO_AUTHOR none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+

tacacs-server host x.x.x.x key 7 -- omitted --
tacacs-server host y.y.y.y key 7 -- omitted --
tacacs-server directed-request

line con 0
exec-timeout 30 0
authorization commands 15 NO_AUTHOR
authorization exec NO_AUTHOR
transport preferred telnet
stopbits 1

thanks.

johnd2310 · ‎07-03-2018

Hi,

What error are tyou getting wen ypu try to login? What do the logs on the tacacs server say about this client?

Thanks

John

**Please rate posts you find helpful**

Euphrosyne · ‎07-03-2018

Hi.

I have Some logs from my C3650. when Switch is boot up, shows banner and % authentication failed messages three times.

*******************************************************************
Access to this computer system and associated network, computer
resources, or data is restricted to those authorized by ---. This
computer and related networks, resources or data may only be used
for business purposes of -- and its customers. Use by unauthor-
ized individual or for an unauthorized purpose is a violation of
--- Security Policy. Violators will be prosecuted.
********************************************************************

% Authentication failed

% Authentication failed

% Authentication failed

and there`s no tacacs server logs because Switches does not connected any networks.

thanks.

johnd2310 · ‎07-03-2018

Hi,

The following line in your config tries Tacacs server and then line password but you have no line password on console:

aaa authentication login default group tacacs+ line

You will need to add a line password on the console

If you cannot get into your switch you will need to perform a password recovery

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3se/system_management/configuration_guide/b_sm_3se_3650_cg/b_sm_3se_3650_cg_chapter_01111.html#task_1021182

Thanks

John

**Please rate posts you find helpful**

Euphrosyne · ‎07-03-2018

ok. I'll try it.

thanks.

johnlloyd_13 · ‎07-04-2018

hi,

kindly post a sanitized show run output

can you make sure the switch can ping the 3650 management IP from an NMS or the same network/subnet with your TACACS+ server?

Euphrosyne · ‎07-18-2018

sorry for late reply.

our customer will working on next week.

I'll post the results when I receive results.

thanks.