03-31-2020 08:00 PM - edited 03-31-2020 08:03 PM
Hello,
I'm try to use the tacacs server,The configure is below
C2960(config)#aaa new-model C2960(config)#aaa group server tacacs+ west263 C2960(config-sg-tacacs+)# server 1.1.1.42 C2960(config-sg-tacacs+)# server 1.1.1.226 C2960(config-sg-tacacs+)#server 1.1.1.42 C2960(config-sg-tacacs+)#exi C2960(config)#aaa authentication login default group tacacs+ enable C2960(config)#aaa authentication enable default group tacacs+ enable C2960(config)#aaa authorization exec default group tacacs+ local C2960(config)#aaa authorization commands 13 default group tacacs+ local C2960(config)#aaa authorization commands 14 default group tacacs+ local C2960(config)#aaa authorization commands 15 default group tacacs+ local C2960(config)#aaa accounting exec default start-stop group tacacs+ C2960(config)#aaa accounting commands 15 default start-stop group tacacs+ C2960(config)#aaa accounting commands 14 default start-stop group tacacs+ C2960(config)#aaa accounting commands 13 default start-stop group tacacs+ C2960(config)#tacacs-server host 1.1.1.42 single-connection key xxx C2960(config)#tacacs-server host 1.1.1.226 single-connection key xxxx
but I can not login in with tacacs user or conosle when I configure it.
Somebody can help me how to fix it
Your reply would be greatly appreciated.
David
04-01-2020 01:44 AM - edited 04-01-2020 01:51 AM
Hello
Do you have ssh enabled on the switch, make sure you have to allow ssh!
At present I can see you have created a tacacs server group but you are not calling upon, Anyway as you have enable AAA authorization the switch won’t allow you access until your authenticated so append the following and you should gain access, providing you have setup an enable password and created a local user account with privilege access.
aaa authorization exec default group tacacs+ local if-authenticated
04-01-2020 01:57 AM
Hi,
So you cannot login to you don't get authorised? Even though the provided configuration needs some small fixes, it should still work (get authenticated) as long as the TACACS integration is done correctly (configure the TACACS server correctly i mean). Look in the logs on the TACACS server, what does it say? Also, here's your fixed config:
no aaa group server tacacs+ west263
no aaa authentication login default group tacacs+ enable
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization console
For testing purposes, in order to keep access to the device till you sort it out, i would remove all AAA commands, except aa new-model, keep the TACACS server commands, configure the TACACS server appropriately, and afterwards from the switch make use of the "test aaa" feature to confirm that authentication works via the TACACS server. Afterwards i would copy/paste the AAA commands on the device and test again.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide