Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
2
Replies

Can not login with console catalyst_2960

shaohua feng
Level 1
Level 1

‎03-31-2020 08:00 PM - edited ‎03-31-2020 08:03 PM

Hello,

 

I'm try to use the tacacs server,The configure is below

C2960(config)#aaa new-model
C2960(config)#aaa group server tacacs+ west263
C2960(config-sg-tacacs+)# server 1.1.1.42
C2960(config-sg-tacacs+)# server 1.1.1.226
C2960(config-sg-tacacs+)#server 1.1.1.42 
C2960(config-sg-tacacs+)#exi
C2960(config)#aaa authentication login default group tacacs+ enable
C2960(config)#aaa authentication enable default group tacacs+ enable
C2960(config)#aaa authorization exec default group tacacs+ local
C2960(config)#aaa authorization commands 13 default group tacacs+ local
C2960(config)#aaa authorization commands 14 default group tacacs+ local
C2960(config)#aaa authorization commands 15 default group tacacs+ local
C2960(config)#aaa accounting exec default start-stop group tacacs+
C2960(config)#aaa accounting commands 15 default start-stop group tacacs+
C2960(config)#aaa accounting commands 14 default start-stop group tacacs+ 
C2960(config)#aaa accounting commands 13 default start-stop group tacacs+
C2960(config)#tacacs-server host 1.1.1.42 single-connection key xxx
C2960(config)#tacacs-server host 1.1.1.226 single-connection key xxxx

but I can not login in with tacacs user or conosle when I configure it.

Somebody can help me how to fix it

image.pngimage.pngimage.png

Your reply would be greatly appreciated.

David

Labels:
0 Helpful
2 Replies 2

paul driver
VIP
VIP

‎04-01-2020 01:44 AM - edited ‎04-01-2020 01:51 AM

Hello

Do you have ssh enabled on the switch, make sure you have to allow ssh!
At present I can see you have created a tacacs server group but you are not calling upon, Anyway as you have enable AAA authorization the switch won’t allow you access until your authenticated so append the following and you should gain access, providing you have setup an enable password and created a local user account with privilege access.


aaa authorization exec default group tacacs+ local if-authenticated


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎04-01-2020 01:57 AM

Hi,

 

   So you cannot login to you don't get authorised? Even though the provided configuration needs some small fixes, it should still work (get authenticated) as long as the TACACS integration is done correctly (configure the TACACS server correctly i mean). Look in the logs on the TACACS server, what does it say? Also, here's your fixed config:

 

no aaa group server tacacs+ west263

no aaa authentication login default group tacacs+ enable

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization console

 

 For testing purposes, in order to keep access to the device till you sort it out, i would remove all AAA commands, except aa new-model, keep the TACACS server commands, configure the TACACS server appropriately, and afterwards from the switch make use of the "test aaa" feature to confirm that authentication works via the TACACS server. Afterwards i would copy/paste the AAA commands on the device and test again.

 

Regards,

Cristian Matei.

  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card