console login "session has expired" after TACACS configuration

C. Weber · ‎04-17-2018

Hi,

maybe a simple thing but I dont´t find a solution. Can anyone help me?

We use a Clearpass for client and switch authentication and everything worked fine, since I tried to bypass the tacacs authentication on the console port on a 3850.

If I try to login via console, I get the error "Tacacs session has expired.Please re-login to continue." I don´t understand why, since I bypass tacacs authentication on the console port. The local user exists but it looks like the switch still tries to authenticate via tacacs.

What I configured is:

aaa group server tacacs+ TAC_PLUS
 server name CPPM-LOGIN
!
aaa authentication login default group TAC_PLUS local
aaa authentication login CON0 local
aaa authentication enable default group TAC_PLUS enable
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local group tacacs+
aaa authorization exec CON local
aaa authorization exec VTY group TAC_PLUS local if-authenticated
aaa authorization commands 1 VTY group TAC_PLUS local if-authenticated
aaa authorization commands 15 VTY group TAC_PLUS local if-authenticated
aaa authorization network default group radius
aaa accounting exec default start-stop group TAC_PLUS
aaa accounting commands 1 default start-stop group TAC_PLUS
aaa accounting commands 15 default start-stop group TAC_PLUS

Can anybody help me?

Best regards

Christian

Seb Rupik · ‎04-17-2018

Hi there,

What does the config of line con 0 look like?

cheers,

Seb.

C. Weber · ‎04-17-2018

Sorry, I forgot to post that :-).

line con 0
 password 7 ...
 authorization exec CON
 logging synchronous
 login authentication CON0
 stopbits 1

Best regards

Christian

chiragom2341 · ‎01-27-2020

Hi,

Please post the solution if find success.

Thank you.