Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
971
Views
0
Helpful
5
Replies

Cisco Catalyst 9500 does not accept TACACS+ configuration

lnw-team
Level 1
Level 1

‎10-15-2024 11:15 PM

Hello, 

we are currently in the process of migrating to the new Cisco ISE appliance. As part of the process, we change TACACS+ configuration on all our devices. During migration we’ve encountered problem with our Cisco Catalyst C9500 core switch, which does not save new TACACS+ configuration. Although the commands are executed correctly, they are not part of running configuration (TACACS+ server group). For the time being, the only way to access device is with local credentials. Authentication against TACACS+ server (Cisco ISE) does not work. 

When we try to add the following commands, they are executed but they are not part of running configuration. 

aaa group server tacacs+ TACACS
server name AAAAA
server name BBBBB
server name CCCCC
server name DDDDD

All servers are configured and are part of a running/startup configuration. 

 

Labels:
0 Helpful
5 Replies 5

Mark Elsen
Hall of Fame
Hall of Fame

‎10-15-2024 11:27 PM

 

 - Review the complete setup according to https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-11/configuration_guide/sec/b_1611_sec_9500_cg/configuring_tacacs_.html
    Check logs  on the 9500 after commands entered  (look for errors , if any)

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-15-2024 11:39 PM

what is the IOS XE code running here ? 

I use below commands all the time for IOS XE device and works as expected : (May be try different name than TACACS - see that make any difference - not that i expect that is wrong in case).

aaa new-model

tacacs server ISENODE1
address ipv4 10.10.10.10
key xxxxxx

tacacs server ISENODE2
address ipv4 20.20.20.20
key yyyyyy

aaa group server tacacs+ ISENODEGROUP
server name ISENODE1
server name ISENODE2

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

DanielP211
VIP Alumni
VIP Alumni

‎10-16-2024 12:16 AM

Hello!

I belive you havent defined the server name AAAAA tacacs server?

You have to configure first for all servers:

tacacs server AAAAA
address ipv4 X.X.X.X
key xyz

 

BR

 

****Kindly rate all useful posts*****
0 Helpful

lnw-team
Level 1
Level 1
In response to DanielP211

‎10-16-2024 12:59 AM

They are definied. 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to lnw-team

‎10-16-2024 09:24 AM

if you are defined, can you post show run | in tacacs or show run all | in tacacs ( also asked before what is IOS XE code running in the Cat 9500 ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents