Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6619
Views
6
Helpful
3
Replies

TACACS not working

Mokhalil82
Level 4
Level 4

‎03-07-2015 07:39 AM - edited ‎03-07-2019 10:59 PM

Hi Guys

I have added a 2960x switch to my network and configured with tacacs. It does not seems to talk to the tacacs ACS server and I can ping the server as it also authenticates other devices on the network but this new switch only lets me login with local credentials. I have added the switch to ACS aswell

When i tried "test aaa group tacacs username password" Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server."

 

My config on the switch is:

aaa group server tacacs+ ACS1
 server 10.10.10.10
!
aaa authentication login default group ACS1 local
aaa authentication enable default group ACS1 enable
aaa authorization config-commands
aaa authorization exec default group ACS1 if-authenticated
aaa authorization commands 1 default group ACS1 if-authenticated
aaa authorization commands 15 default group ACS1 if-authenticated
aaa accounting update newinfo
aaa accounting commands 1 default start-stop broadcast group ACS1
aaa accounting commands 15 default start-stop broadcast group ACS1

 

tacacs-server host 10.10.10.10
tacacs-server key 12345678

 

Thanks

 

 

Labels:
0 Helpful
3 Replies 3

Reza Sharifi
Hall of Fame
Hall of Fame

‎03-07-2015 08:55 AM

Hi,

Here is working config from a 2960-x.

Try just adding these commands and test:

aaa group server tacacs+ ACS1
 server 10.10.10.10
 server-private 10.10.10.10 key 7 ****************
!
aaa authentication login default group ACS1 local
aaa authentication login console group ACS1 local
aaa authentication enable default group ACS1 enable
aaa authorization console
aaa authorization exec default group ACS1 none
aaa authorization commands 1 default group ACS1 if-authenticated
aaa authorization commands 15 default group ACS1 if-authenticated

 

Also, I don't think you need these commands:

tacacs-server host 10.10.10.10
tacacs-server key 12345678

 

HTH

 

 

Mokhalil82
Level 4
Level 4
In response to Reza Sharifi

‎03-07-2015 02:35 PM

Thanks Reza

After some investigation it seemed the issue is with the tacacs-server host 10.10.10.10 command. I realised upon entering this command the cli accepted it but gave a warning message

"Warning: The cli will be deprecated soon
 'tacacs-server host acs-1 key 0 <my-key>'
 Please move to 'tacacs server <name>' CLI"

Apparently cisco have made a few changes to the config. The tacacs-server ACS1 commands didnt work.

So I entered tacacs-server host 10.10.10.10 key 12345678

That worked.

 

Thanks

Reza Sharifi
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎03-07-2015 03:03 PM

Glad it is working.

Thanks,

Reza

0 Helpful
Customers Also Viewed These Support Documents