Cisco IOS XE Gibraltar 16.12.3a & TACACS

craiglebutt · ‎06-11-2020

Just had new 9300 installed, upgraded to cat9k_iosxe.16.12.03a.SPA.bin.

Issue is our standard TACACS config didn't work

We have 3 TACACS+ on ISE on different sites, so each switch is configured to be able to connect to all 3.

Issue is, this new code, can't seem to create a group for it, have tried different combinations, finally got it to work with 1 ISE.

We have other 9300s, running Fuji and Everest, no issues, just seems to be the new Gibraltar.

When you create a Server it will only allow 1 server, if try to create a aaa tacacs group, only allows 1 server.

Nothing in the caveats, or is it have to pay extra now to have more than 1 TACACs server option?

paul driver · ‎06-14-2020

Hello

Try:

tacacs server host1
address ipv4 x.x.x.x
tacacs server host2
address ipv4 x.x.x.x

aaa group server tacacs+ TACACS_SERVERS
server host1
server host2

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

craiglebutt · ‎06-17-2020

Hi Paul

Thanks for your reply's , very helpful, tried them all.

Finally got there, didn't' take the server via IP in group, not till added server name

aaa group server tacacs+ ISE_Group
server name server1
server name server2
server name server3
!
aaa authentication fail-message ^CCCCCC_______Failed login in via ISE. Try again.^C
aaa authentication login default group ISE_Group local
aaa authentication enable default group ISE_Group enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ISE_Group local
aaa authorization commands 0 default group ISE_Group local
aaa authorization commands 1 default group ISE_Group local
aaa authorization commands 15 default group ISE_Group local
aaa accounting exec default start-stop group ISE_Group
aaa accounting commands 0 default start-stop group ISE_Group
aaa accounting commands 1 default start-stop group ISE_Group
aaa accounting commands 15 default start-stop group ISE_Group
aaa accounting connection default start-stop group ISE_Group

tacacs-server directed-request
tacacs server server1
address ipv4
key 7
tacacs server server2
address ipv4
key 7
tacacs server server3
address ipv4
key 7

pameni hafeni haluteni · ‎01-07-2021

Hi
i have almost the same issue after upgrading 2960 switch with c9200

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 32 C9200-24P 16.12.3a CAT9K_LITE_IOSXE INSTALL

****Switch Config***
!
aaa new-model
!
!
aaa group server tacacs+ ME_TACACS
server "IP address"
ip tacacs source-interface Vlan10
!
aaa group server radius ISE
server name ISE1
server name ISE2
!
aaa authentication login default group ME_TACACS local
aaa authentication login NOAUTH none
aaa authentication enable default group ME_TACACS enable
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization exec default group ME_TACACS local if-authenticated
aaa authorization commands 1 default group ME_TACACS if-authenticated
aaa authorization commands 15 default group ME_TACACS if-authenticated
aaa authorization network default group radius
aaa authorization network auth-list group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 2440
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group ME_TACACS
aaa accounting commands 1 default start-stop group ME_TACACS
aaa accounting commands 15 default start-stop group ME_TACACS
aaa accounting system default start-stop group radius
!
tacacs-server key 7
!
radius server ISE1
key 7
!
radius server ISE2
key 7
!
username efellows privilege 15 secret 9
!
***Switch login attempts:***

Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:

***Edit switch config***
(config)#No aaa authentication login default group ME_TACACS local
***Disable TACACS in ISE*** uncheck the radio button TACACS AUTHENTICATION SETTINGS
!
Attempt local login success

Version 16.12 has no problem using the default config above
local and net accounts work just fine.

What am I missing ?

Dmitry.Lukyanchyk · ‎04-08-2021

The same problem with tacacs after upgrade from cat9k_lite_iosxe.16.09.05.SPA.bin to cat9k_lite_iosxe.16.12.04.SPA.bin on Cisco C9200L-48T-4X.

old config:
tacacs-server host 172.20.20.20 key 7 90569033445879373985736

new config:
tacacs server ACS
address ipv4 172.20.20.20
key 7 90569033445879373985736

Now everything works!