Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1741
Views
0
Helpful
4
Replies

% error in authentication

Hoyt Page
Level 1
Level 1

‎07-17-2020 11:03 AM

Hello,

 

I am having issues with I put in my aaa. I get % error in authentication

 

aaa group server tacacs+ default
aaa authentication attempts login 5
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+
aaa authentication dot1x default group radius group CPPM
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+

 

If I tweak it, I can get either local auth to work or tacacs to work but never together... What am I missing?

 

Thank you!

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎07-17-2020 01:24 PM

Local authentication only work when the TACACS fails as per the configuration.

 

you want to test, change the key in TACACS Server, then you can see local authentication working.

 

It falls over config ? not both work at a time.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Hoyt Page
Level 1
Level 1
In response to balaji.bandi

‎07-17-2020 02:51 PM

Thank you for the response.

 

When I have my aaa config on the switch and lose connectivity, local auth does not work. That is how I get the error. My config works great when I have connectivity with aaa. I lost my master in my stack and tried to auth locally to change the master and ended up doing ignoring the boot config to bypass auth and then restoring the config. 

 

Thank you!

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Hoyt Page

‎07-17-2020 07:58 PM

just to clarify here are we looking for device administration using TACACS, if that fails use local authentication right?

 

here is the working config ;

 

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization network default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

!

!

tacacs-server host X.X.X.X

tacacs-server key xxx

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP

‎07-17-2020 11:48 PM

Hello,

 

in addition to Balaji's remarks, what switch model do you have, and what IOS version are you running ? Always worth checking for bugs...

 

Also, post the full running config. I assume you have a local user configured ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card