ERROR WHEN ADDING TACACS AAA TO SWITCH

isaaco001 · ‎07-11-2021

Dear support,

whats the sequence or technique for adding tacacs aaa commands to a switch on already added to ISE. Whenever, I add the following commands...I get lockout of the configuration..with console saying command not authorized..

!
aaa authentication login default group HQ-NWK-GROUP local enable
aaa authentication login console group HQ-NWK-GROUP local enable
aaa authentication enable default group HQ-NWK-GROUP enable
aaa authentication dot1x default group HQ-RAD-GROUP
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group HQ-NWK-GROUP local if-authenticated
aaa authorization commands 0 default group HQ-NWK-GROUP local if-authenticated
aaa authorization commands 1 default group HQ-NWK-GROUP local if-authenticated
aaa authorization commands 7 default group HQ-NWK-GROUP local if-authenticated
aaa authorization commands 15 default group HQ-NWK-GROUP local if-authenticated
aaa authorization network default group HQ-RAD-GROUP
aaa authorization network auth-list group HQ-RAD-GROUP
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group HQ-RAD-GROUP
aaa accounting exec default start-stop group HQ-NWK-GROUP
aaa accounting commands 0 default start-stop group HQ-NWK-GROUP
aaa accounting commands 1 default start-stop group HQ-NWK-GROUP
!

Regards,

Isaac.

balaji.bandi · ‎07-11-2021

Do you have Group that contains ISE Server information :

HQ-NWK-GROUP

what device is this ? what IOS code running.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

isaaco001 · ‎07-11-2021

BB,

Thanks for your response!

The device is a cisco 9300 switch running IOS-XE and there is a group that contains ISE information.

My question really is generic in nature. The above commands just shows aaa commands to add, normally I run into problems when I copy all aaa commands to console...I end up getting locked out with "command not authorized" but I don't understand why

Regards,

Isaac.

balaji.bandi · ‎07-11-2021

we need more information, Just adding a device into ISE not enough, you need to have a user with Authorised commands for that user, like Admin / read-only access with respected privileges.

I would not advise console to be Radius authentication in general ( console always be available with Local account in case radius connectivity issue, even though you fal back radius and Local - with this situation i will remove below command and test it )

I will remove this Line and try :

no aaa authentication login console group HQ-NWK-GROUP local enable

Once you Locked, how are you recovering rebooting the device to get access back with the local account?

always start with basic features and gradually build the AAA config is advised

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

alancelliott · ‎07-11-2021

Hi Isaac,

Where is the configuration that you're adding to your VTY, and console lines to define the method list being used for aaa?

Check:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-16-5/sec-usr-aaa-xe-16-5-book/sec-cfg-authentifcn.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-16-5/sec-usr-aaa-xe-16-5-book/sec-cfg-authorizatn.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-16-5/sec-usr-aaa-xe-16-5-book/sec-cfg-accountg.html

For configuration examples.

HTH, cheers,

Alan

paul driver · ‎07-11-2021

Hello

whats the sequence or technique for adding tacacs aaa commands to a switch on already added to ISE

What excalty are you trying to acheive by adding addtional tacacs?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎07-11-2021

The original poster tells us " I run into problems when I copy all aaa commands to console...I end up getting locked out with "command not authorized" but I don't understand why". In my experience there are 2 possible explanations:

1) there is some error in the syntax of the commands (less likely to be the case)

2) the user ID that you are using to access the switch/router is not correctly configured in tacacs to execute the commands that you are attempting. (more likely to be the case)

I would suggest these steps for investigating the issue:

- access the switch/router perhaps via console or by ssh/telnet

- verify that logging for that session is enable at level of debugging.

- do what you need to do to see logging messages in that session. (terminal monitor, etc)

- run debug aaa authorization.

- make sure that this session remains active (be careful about inactivity timeouts).

- access the switch/router and establish a new session.

- attempt some commands in the new session.

- post the debug output from the first session.

HTH

Rick