09-28-2020 11:55 PM
Hi There,
Thank you for your time. Hope you all are safe & secure in this pandemic
I need you help in my tacacs+ authentication.
I have got two TACACS+ servers (RHEL) and both are running successfully. Both are in different domains. For one domain my switches are getting authenticated successfully but for the other domain its failing.
Below is the output from my switch:-
net001#sh run | sec tac
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting commands 15 default start-stop group tacacs+
description tacacs-test-switch
ip tacacs source-interface GigabitEthernet1/0/7
tacacs-server host 10.252.37.10
tacacs-server directed-request
tacacs-server key 7 0728004545514A1356
pninet001#telnet 10.252.37.10 49
Trying 10.252.37.10, 49 ...
% Destination unreachable; gateway or host down
net001#ping 10.252.37.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.252.37.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 116/120/126 ms
net001#
I have configured same configuration on all of my switches and same RPM packages on both of my tacacs+ server.
I have checked my TACACS+ server and its listening on port 49 and the tacacs service is also running fine. But still I'm not able to identify that when the same configuration is running on both the servers then why its failing.
Any help would be appreciated.
09-29-2020 12:31 AM
09-29-2020 02:14 AM
Hello Mohammed,
Thank you for your response. I have checked and tried with source interface also but still its not working.
I have even checked my tacacs+ server configuration with another working tacacs+ server and both configurations are same and both are listening on port 49.
For one domain I have configured my switch with same tacacs+ configuration as the one which is working in other domain but still isn't responding.
I have attached one file for further clarification.
09-29-2020 02:54 AM
06-30-2021 11:41 PM
Hi Mohammed,
I have issue when I use Mgmt interface. FYI, I do not see firewall logs for Tacacs. The switch configuration as shown below:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
ip tacacs source-interface GigabitEthernet0/0
ip tacacs source-interface GigabitEthernet0/0 vrf Mgmt-vrf
tacacs server Clearpass
address ipv4 x.x.x.x
key
The same configuration I used with SVI interface without select vrf mgmt-vrf. it is working fine.
Please advice..!
FYI, the configuration above I have applied to Cisco SW C9300 series (OS: 17.03.03).
Thanks,
Diyar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide