Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3171
Views
5
Helpful
15
Replies

Problem with access after add a catalyst 9200 to Meraki Dashboard

Go to solution
P4n0r4m1x
Level 1
Level 1

ā€Ž02-06-2023 11:19 AM - edited ā€Ž02-06-2023 02:58 PM

Hello;

After onboard a switch in the meraki cloud We lost the access via ssh TACACS, the switch allowed me to access but the first thing to show is % Authorization failed., if I disabled TACACS I can join in with a local password and work with normally.

I think that the issue is in the vty lines configuration, ItĀ“s now looks like:

line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
logging synchronous
login authentication AAA
length 0
transport input ssh
line vty 5 15
privilege level 15
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
login authentication AAA
transport input ssh
line vty 16 19
access-class MERAKI_VTY_IN in
access-class MERAKI_VTY_OUT out
authorization exec MERAKI
login authentication MERAKI
rotary 50
transport input ssh

The last block was added by meraki's onboarding script, and I think there we made the mistake. But I'm not sure how to fix it.

I could "default line vty 16 19 " but what configuration should it have? Another line vty 5 15 ?? 

The aaa config:

sh ru | section aaa
aaa new-model
aaa group server tacacs+ NAC_GROUP
server name NAC1
server name NAC2
aaa authentication attempts login 10
aaa authentication login default local
aaa authentication login AAA group NAC_GROUP local
aaa authentication login MERAKI local
aaa authentication enable default group NAC_GROUP enable
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec AAA group NAC_GROUP local
aaa authorization exec MERAKI local
aaa authorization commands 0 AAA group NAC_GROUP local
aaa authorization commands 1 AAA group NAC_GROUP local
aaa authorization commands 15 AAA group NAC_GROUP local
aaa accounting exec default start-stop group NAC_GROUP
aaa accounting commands 1 default start-stop group NAC_GROUP
aaa accounting commands 15 default start-stop group NAC_GROUP
aaa session-id common

And the tacacs+:

sh ru | section tacac
aaa group server tacacs+ NAC_GROUP
server name NAC1
server name NAC2
ip tacacs source-interface Vlan100
tacacs-server directed-request
tacacs server NAC1
address ipv4 101.101.101.1
key 7 0000000000000000000
tacacs server NAC2
address ipv4 101.101.101.2
key 7 0000000000000000000

Thanks in advance.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
P4n0r4m1x
Level 1
Level 1

ā€Ž02-15-2023 12:58 PM

Hi guys:

After a couple reviews now ItĀ“s working... And the configs are :

aaa group server tacacs+ NAC_GROUP
server name NAC01
server name NAC02
ip tacacs source-interface Vlan100
tacacs server NAC01
address ipv4 10.101.101.1
key 7 **********
tacacs server NAC02
address ipv4 10.101.101.2
key 7 ************

AAA:

aaa new-model
aaa group server tacacs+ NAC_GROUP
server name NAC01
server name NAC02
aaa authentication attempts login 10
aaa authentication login default local
aaa authentication login AAA group NAC_GROUP local
aaa authentication login MERAKI local
aaa authentication enable default group NAC_GROUP enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec AAA group NAC_GROUP local
aaa authorization exec MERAKI local
aaa authorization commands 0 AAA group NAC_GROUP local
aaa authorization commands 1 AAA group NAC_GROUP local
aaa authorization commands 15 AAA group NAC_GROUP local
aaa accounting exec default start-stop group NAC_GROUP
aaa accounting commands 1 default start-stop group NAC_GROUP
aaa accounting commands 15 default start-stop group NAC_GROUP
aaa session-id common

Lines:

line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
authorization exec MERAKI
logging synchronous
login authentication AAA
length 0
transport input ssh
line vty 5 15
privilege level 15
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
login authentication AAA
transport input ssh
line vty 16 19
access-class MERAKI_VTY_IN in
access-class MERAKI_VTY_OUT out
authorization exec MERAKI
login authentication MERAKI
rotary 50
transport input ssh

I hope itĀ“s help !!!

Thanks a lot !!!

View solution in original post

0 Helpful
15 Replies 15

Go to solution
MHM Cisco World
VIP
VIP

ā€Ž02-06-2023 02:00 PM

where the config ot TACACS ? I only see VTY.

0 Helpful

Go to solution
P4n0r4m1x
Level 1
Level 1

ā€Ž02-06-2023 02:33 PM

Hi;

I just edited the post.

BR.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to P4n0r4m1x

ā€Ž02-06-2023 02:49 PM

aaa group server tacacs+ NAC_GROUP
server name 101.101.101.1 <<- server name meaning server name resolve by dns, instead add server 101.101.101.1 directly 
server name 101.101.101.2 <<- server name meaning server name resolve by dns, instead add server 101.101.101.2 directly 
ip tacacs source-interface Vlan100
tacacs-server directed-request
tacacs server 101.101.101.1
address ipv4 101.101.101.1
key 7 0000000000000000000
tacacs server 101.101.101.2
address ipv4 101.101.101.2
key 7 0000000000000000000

0 Helpful

Go to solution
P4n0r4m1x
Level 1
Level 1

ā€Ž02-06-2023 03:01 PM

Ok but this is not issue, because I can login, so the dns is resolved, but when Im logged the first thing thats it's show to me is the 

% Authorization failed.

It's the same when you are config tacacs with a local account then you active the tacacs in ISE and any command you executed shows

% Authorization failed.

Thanks in advance.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to P4n0r4m1x

ā€Ž02-06-2023 03:04 PM - edited ā€Ž02-06-2023 03:27 PM

you config auth via tacacs and local, so there is chance that you auth using local not tacacs if you use local username/password same as tacasc username/password
change the server name to server and check again. 

0 Helpful

Go to solution
P4n0r4m1x
Level 1
Level 1
In response to MHM Cisco World

ā€Ž02-06-2023 04:33 PM - edited ā€Ž02-07-2023 02:26 PM

Hello,

The username and password are totally different and canā€™t be equals, anyway I need to use tacacs because itā€™s a production device and if something happens to have evidences who was, what doneā€¦

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

ā€Ž02-07-2023 02:49 PM

please can you check this config 

line vty 25 30 
authorization exec default 
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
login authentication AAA
transport input telnet 
rotary 75 <<- use 3075 with telnet to access to this VTY group.

0 Helpful

Go to solution
P4n0r4m1x
Level 1
Level 1

ā€Ž02-08-2023 01:41 PM

Thanks mate;

I did try with this config and itĀ“s the same behavior over port 23. It let me log in but i cant do anything with TACACs activated.

Username:
Password:
% Authorization failed.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to P4n0r4m1x

ā€Ž02-08-2023 01:44 PM

just try telnet not SSH and I mention we use rotary 75 so you need 
telnet <SW IP> port 3075
try this and share result 

0 Helpful

Go to solution
P4n0r4m1x
Level 1
Level 1

ā€Ž02-08-2023 01:50 PM

Same behavior, over port 22, 23 and 3075: 

Username:
Password:
% Authorization failed.    <--- Notice that isnt % Authentication failed (wrong password)

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to P4n0r4m1x

ā€Ž02-08-2023 02:03 PM - edited ā€Ž02-08-2023 02:03 PM

I know that it is authz not auth issue
line vty 25 30 
authorization exec default  <<- remove this and try again using telnet port 3075
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
login authentication AAA
transport input telnet 
rotary 75 <<- use 3075 with telnet to access to this VTY group.

0 Helpful

Go to solution
P4n0r4m1x
Level 1
Level 1

ā€Ž02-08-2023 03:00 PM - edited ā€Ž02-08-2023 03:16 PM

This line is not in my conf, and I added again but it not appear

!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
logging synchronous
login authentication AAA
length 0
transport input ssh
line vty 5 15
privilege level 15
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
login authentication AAA
transport input ssh
line vty 16 19
access-class MERAKI_VTY_IN in
access-class MERAKI_VTY_OUT out
authorization exec MERAKI
login authentication MERAKI
rotary 50
transport input ssh
line vty 20 24
transport input ssh
line vty 25 30
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
login authentication AAA
rotary 75
transport input telnet

Also in the NAC I can see Passed-Authentication: Authentication succeeded

but then nothing.

BR.

0 Helpful

Go to solution
paul driver
VIP
VIP

ā€Ž02-08-2023 04:04 PM

Hello
Your AAA seems to be quite convoluted , it seems you are trying to allow access to different vty line using various AAA profiles.
The below example should work which you could amend to accommodate your requirements.

 

username stan privilege 15 algorithm-type scrypt secret xxxxx

tacacs server NAC1
address ipv4 x.x.x.x
key xxxx
timeout 5

tacacs server NAC2
address ipv4  y.y.y.y
key xxxxx
timeout 5

aaa new-model
aaa group server tacacs+ MERAKI
server name NAC1
server name NAC2

aaa authentication login MERAKI local
aaa authorization exec MERAKI local if-authenticated
aaa authorization console


line vty 0 4
authorization exec MERAKI
login authentication MERAKI


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul
0 Helpful

Go to solution
P4n0r4m1x
Level 1
Level 1

ā€Ž02-14-2023 09:55 PM - edited ā€Ž02-15-2023 09:43 AM

 

Hello;

Thanks for your time and help but It doesn't work in this way, because my TACACS groups has another name ... But i tried changed it and doesn't work either..

We need to can work on it a local users, tacacs users from NAC_GROUP and the MERAKI one for monitoring in meraki's dashboard. But in this way I only can work with local users and with tacacs disabled coz the hasn't permits.

This is the config that I'm running right now:

tacacs server NAC01
address ipv4 10.101.101.1
key ******
tacacs server NAC02
address ipv4 10.101.101.2
key ******
aaa new-model
aaa group server tacacs+ NAC_GROUP
server name NAC01
server name NAC02
aaa authentication attempts login 10
aaa authentication login default local
aaa authentication login AAA group NAC_GROUP local
aaa authentication login MERAKI local
aaa authentication enable default group NAC_GROUP enable group MERAKI
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec AAA group NAC_GROUP local
aaa authorization exec MERAKI local if-authenticated
aaa authorization commands 0 AAA group NAC_GROUP local
aaa authorization commands 1 AAA group NAC_GROUP local
aaa authorization commands 15 AAA group NAC_GROUP local
aaa accounting exec default start-stop group NAC_GROUP
aaa accounting commands 1 default start-stop group NAC_GROUP
aaa accounting commands 15 default start-stop group NAC_GROUP
aaa session-id common

And how a told you still disabling TACACS for make it workiing ... also meraki dashboard lost the telemetry

P4n0r4m1x_0-1676482989137.png

 

Thanks in advance

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card