Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13082
Views
42
Helpful
22
Replies

TACACS authorization failure

Go to solution
davinci
Level 1
Level 1

‎03-12-2021 06:28 PM - edited ‎03-14-2021 12:49 PM

Hello,

 

I can authenticate into my 3560 switch but when I attempt to use my TACACS r/w account then I am receiving these errors below.  EDIT: I can make changes with my external r/o and r/w accounts.  All of my other switches are working without issue (read only TACACS accounts and r/w TACACS accounts work fine).

 

Is the problem with my config? IOS bug? TACACS server issue?

 

sh version
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE12, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Thu 28-Sep-17 02:04 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000

ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

switch uptime is 1 hour, 19 minutes
System returned to ROM by power-on
System image file is "flash:c3560-ipservicesk9-mz.122-55.SE12.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable

 

username tester privilege 15 secret xxxxxxxxxxxxxxxxx

 

aaa group server tacacs+ XXXXX
server-private q.r.s.t key xxxxx
server-private a.b.c.d key xxxxx
server-private e.f.g.h. key xxxxx
!
aaa authentication attempts login 2
aaa authentication password-prompt Fallback_Password:
aaa authentication username-prompt Fallback_Username:
aaa authentication login default group XXXX local
aaa authorization config-commands
aaa authorization exec default group XXXX local
aaa authorization commands 15 default group XXXX local
aaa authorization network default group YYYY
aaa accounting update newinfo
aaa accounting exec default start-stop group XXXX
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group XXXXX
aaa accounting system default start-stop group XXXX

 

 

 

 

switch#conf t
Tacacs session has expired.Please re-login to continue.

 

 

Labels:
22 Replies 22

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to davinci

‎03-14-2021 08:21 PM

Thanks for the output of debug that I requested. There are multiple instances of messages like this

TAC+: x.x.30.20 -- request for nonexistent server

It seems to me that there are 2 likely explanations:

- perhaps the ip address does not point to the correct tacacs serve

- the server at that address does not have a correct configuration of this device as a client

 

Can you verify that the switch configuration of the server does use the correct address?

Can you verify that the tacacs server at that address does have a correct configuration of this device as a client?

HTH

Rick

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to davinci

‎03-15-2021 03:21 AM 

Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): Port='tty2' list='' service=CMD
*Mar 2 22:25:51: AAA/AUTHOR/CMD: tty2 (3419537086) user='username'
*Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): send AV service=shell
*Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): send AV cmd=configure
*Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): send AV cmd-arg=terminal
*Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): send AV cmd-arg=<cr>
*Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): found list "default"
*Mar 2 22:25:51: tty2 AAA/AUTHOR/CMD (3419537086): Method=TACACS (tacacs+)
*Mar 2 22:25:51: AAA/AUTHOR/TAC+: (3419537086): user=username
*Mar 2 22:25:51: AAA/AUTHOR/TAC+: (3419537086): send AV service=shell
*Mar 2 22:25:51: AAA/AUTHOR/TAC+: (3419537086): send AV cmd=configure
*Mar 2 22:25:51: AAA/AUTHOR/TAC+: (3419537086): send AV cmd-arg=terminal
*Mar 2 22:25:51: AAA/AUTHOR/TAC+: (3419537086): send AV cmd-arg=<cr>
*Mar 2 22:25:51: TAC+: using previously set server x.x.30.20 from group TACACS
*Mar 2 22:25:51: TAC+: Opening TCP/IP to x.x.30.20/49 timeout=5
*Mar 2 22:25:51: TAC+: Opened TCP/IP handle 0x4604634 to x.x.30.20/49 using source x.x.20.10
*Mar 2 22:25:51: TAC+: Opened x.x.30.20 index=1
*Mar 2 22:25:51: TAC+: x.x.30.20 -- request for nonexistent server

I agree with @Richard Burts  here, you may need to cutdown your TACACS Server list and test with the one working.

 

 

as per your Orginal post you have 3 in the list :  not sure which one is that, so try the one you are sure and working before you add new one.

 

aaa group server tacacs+ XXXXX
server-private q.r.s.t key xxxxx
server-private a.b.c.d key xxxxx
server-private e.f.g.h. key xxxxx

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
davinci
Level 1
Level 1
In response to balaji.bandi

‎03-15-2021 07:51 AM - edited ‎03-15-2021 07:55 AM

I reduced the tacacs server list to one device, but now I only have r/o access regardless of the tacacs account I test with.  After authenticationg, I'm not even able to do show run or show logging. 

 

 

 

switch# sh logging
% Authorization failed.

switch#show run
% Authorization failed.

switch#conf t
% Authorization failed.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to davinci

‎03-15-2021 08:49 AM

You need to find the right TACACS Server - remove the one not working. (looks like one of them Playing )

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
davinci
Level 1
Level 1
In response to balaji.bandi

‎03-15-2021 09:14 AM

i found the solution.  I had to swap the order of the TACACS servers in the TACACS group list.  Once I did that, normal authorization commenced.

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to davinci

‎03-15-2021 11:23 AM

Thanks for the update. Glad to know that changing the order of servers allows you to have normal authorization. The purpose of having multiple server entries is to provide an alternative if the primary server is not providing the tacacs service (server out of service for maintenance, or server experiencing some problem, etc). If your primary server does stop working I am concerned that the problem with authorization might emerge again. I would suggest that you do some more testing with the alternate server and figure out what is the issue with authorization. (I think the router config must be ok because it works with one server. So the issue is likely something on the other server.)

HTH

Rick
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to davinci

‎03-15-2021 06:38 PM

Thank you for the feedback, we expect group servers should have same kind of AAA setup not as different methods, the most case they all use the same identity so when one fails other can serve easily on the secondary, and 3rd so on.

 

so you need to fix that this was advised in most of the replies. glad all good at the end.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
AlvaroAlvarado9973
Level 1
Level 1
In response to davinci

‎06-02-2022 09:42 AM

What commands did you use to fix the problem?

 

I currently have the same problem

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card