Solved: Re: Problem with access after add a catalyst 9200 to Meraki Dashboard - Page 2

P4n0r4m1x · ‎02-06-2023

Hello;

After onboard a switch in the meraki cloud We lost the access via ssh TACACS, the switch allowed me to access but the first thing to show is % Authorization failed., if I disabled TACACS I can join in with a local password and work with normally.

I think that the issue is in the vty lines configuration, It´s now looks like:

line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
logging synchronous
login authentication AAA
length 0
transport input ssh
line vty 5 15
privilege level 15
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
login authentication AAA
transport input ssh
line vty 16 19
access-class MERAKI_VTY_IN in
access-class MERAKI_VTY_OUT out
authorization exec MERAKI
login authentication MERAKI
rotary 50
transport input ssh

The last block was added by meraki's onboarding script, and I think there we made the mistake. But I'm not sure how to fix it.

I could "default line vty 16 19 " but what configuration should it have? Another line vty 5 15 ??

The aaa config:

sh ru | section aaa
aaa new-model
aaa group server tacacs+ NAC_GROUP
server name NAC1
server name NAC2
aaa authentication attempts login 10
aaa authentication login default local
aaa authentication login AAA group NAC_GROUP local
aaa authentication login MERAKI local
aaa authentication enable default group NAC_GROUP enable
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec AAA group NAC_GROUP local
aaa authorization exec MERAKI local
aaa authorization commands 0 AAA group NAC_GROUP local
aaa authorization commands 1 AAA group NAC_GROUP local
aaa authorization commands 15 AAA group NAC_GROUP local
aaa accounting exec default start-stop group NAC_GROUP
aaa accounting commands 1 default start-stop group NAC_GROUP
aaa accounting commands 15 default start-stop group NAC_GROUP
aaa session-id common

And the tacacs+:

sh ru | section tacac
aaa group server tacacs+ NAC_GROUP
server name NAC1
server name NAC2
ip tacacs source-interface Vlan100
tacacs-server directed-request
tacacs server NAC1
address ipv4 101.101.101.1
key 7 0000000000000000000
tacacs server NAC2
address ipv4 101.101.101.2
key 7 0000000000000000000

Thanks in advance.

P4n0r4m1x · ‎02-15-2023

Hi guys:

After a couple reviews now It´s working... And the configs are :

aaa group server tacacs+ NAC_GROUP
server name NAC01
server name NAC02
ip tacacs source-interface Vlan100
tacacs server NAC01
address ipv4 10.101.101.1
key 7 **********
tacacs server NAC02
address ipv4 10.101.101.2
key 7 ************

AAA:

aaa new-model
aaa group server tacacs+ NAC_GROUP
server name NAC01
server name NAC02
aaa authentication attempts login 10
aaa authentication login default local
aaa authentication login AAA group NAC_GROUP local
aaa authentication login MERAKI local
aaa authentication enable default group NAC_GROUP enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec AAA group NAC_GROUP local
aaa authorization exec MERAKI local
aaa authorization commands 0 AAA group NAC_GROUP local
aaa authorization commands 1 AAA group NAC_GROUP local
aaa authorization commands 15 AAA group NAC_GROUP local
aaa accounting exec default start-stop group NAC_GROUP
aaa accounting commands 1 default start-stop group NAC_GROUP
aaa accounting commands 15 default start-stop group NAC_GROUP
aaa session-id common

Lines:

line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
authorization exec MERAKI
logging synchronous
login authentication AAA
length 0
transport input ssh
line vty 5 15
privilege level 15
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
login authentication AAA
transport input ssh
line vty 16 19
access-class MERAKI_VTY_IN in
access-class MERAKI_VTY_OUT out
authorization exec MERAKI
login authentication MERAKI
rotary 50
transport input ssh

I hope it´s help !!!

Thanks a lot !!!