06-11-2020 07:52 AM
Just had new 9300 installed, upgraded to cat9k_iosxe.16.12.03a.SPA.bin.
Issue is our standard TACACS config didn't work
We have 3 TACACS+ on ISE on different sites, so each switch is configured to be able to connect to all 3.
Issue is, this new code, can't seem to create a group for it, have tried different combinations, finally got it to work with 1 ISE.
We have other 9300s, running Fuji and Everest, no issues, just seems to be the new Gibraltar.
When you create a Server it will only allow 1 server, if try to create a aaa tacacs group, only allows 1 server.
Nothing in the caveats, or is it have to pay extra now to have more than 1 TACACs server option?
06-14-2020 01:43 PM - edited 06-14-2020 02:07 PM
Hello
Try:
06-17-2020 04:12 AM
Hi Paul
Thanks for your reply's , very helpful, tried them all.
Finally got there, didn't' take the server via IP in group, not till added server name
aaa group server tacacs+ ISE_Group
server name server1
server name server2
server name server3
!
aaa authentication fail-message ^CCCCCC_______Failed login in via ISE. Try again.^C
aaa authentication login default group ISE_Group local
aaa authentication enable default group ISE_Group enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ISE_Group local
aaa authorization commands 0 default group ISE_Group local
aaa authorization commands 1 default group ISE_Group local
aaa authorization commands 15 default group ISE_Group local
aaa accounting exec default start-stop group ISE_Group
aaa accounting commands 0 default start-stop group ISE_Group
aaa accounting commands 1 default start-stop group ISE_Group
aaa accounting commands 15 default start-stop group ISE_Group
aaa accounting connection default start-stop group ISE_Group
tacacs-server directed-request
tacacs server server1
address ipv4
key 7
tacacs server server2
address ipv4
key 7
tacacs server server3
address ipv4
key 7
01-07-2021 12:02 AM
Hi
i have almost the same issue after upgrading 2960 switch with c9200
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 32 C9200-24P 16.12.3a CAT9K_LITE_IOSXE INSTALL
****Switch Config***
!
aaa new-model
!
!
aaa group server tacacs+ ME_TACACS
server "IP address"
ip tacacs source-interface Vlan10
!
aaa group server radius ISE
server name ISE1
server name ISE2
!
aaa authentication login default group ME_TACACS local
aaa authentication login NOAUTH none
aaa authentication enable default group ME_TACACS enable
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization exec default group ME_TACACS local if-authenticated
aaa authorization commands 1 default group ME_TACACS if-authenticated
aaa authorization commands 15 default group ME_TACACS if-authenticated
aaa authorization network default group radius
aaa authorization network auth-list group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 2440
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group ME_TACACS
aaa accounting commands 1 default start-stop group ME_TACACS
aaa accounting commands 15 default start-stop group ME_TACACS
aaa accounting system default start-stop group radius
!
tacacs-server key 7
!
radius server ISE1
key 7
!
radius server ISE2
key 7
!
username efellows privilege 15 secret 9
!
***Switch login attempts:***
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:
***Edit switch config***
(config)#No aaa authentication login default group ME_TACACS local
***Disable TACACS in ISE*** uncheck the radio button TACACS AUTHENTICATION SETTINGS
!
Attempt local login success
Version 16.12 has no problem using the default config above
local and net accounts work just fine.
What am I missing ?
04-08-2021 12:59 AM
The same problem with tacacs after upgrade from cat9k_lite_iosxe.16.09.05.SPA.bin to cat9k_lite_iosxe.16.12.04.SPA.bin on Cisco C9200L-48T-4X.
old config:
tacacs-server host 172.20.20.20 key 7 90569033445879373985736
new config:
tacacs server ACS
address ipv4 172.20.20.20
key 7 90569033445879373985736
Now everything works!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide