TACACS+ using local login on switches

newton.travis · ‎12-12-2017

Hello,

So it's been awhile since I've used TACACS+, but when I configure one of my switches to use it, it is still using the local authentication instead of TACACS+. Here's the config:

aaa new-model

!

aaa group server tacacs+ TAC_PLUS

server name acs-server

!

aaa authentication login default group tacacs+ local

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

[config snipped]

!

tacacs server acs-server

address ipv4 <INTERNAL IP>

key 7 <ENCRYPTED KEY>

!

line con 0

logging synchronous

line vty 0 4

exec-timeout 0 0

transport input ssh

line vty 5 15

!

end

For line con 0 and vty 0 4, I've used login authentication default.

I've verified using a TACACS+ tool that the server is working and responding accordingly. The last time I used TACACS+ on Cisco switches, it was on IOS 12. Our switches are running IOS 15.2(3r)E1.

Thanks!

johnd2310 · ‎12-12-2017

Hi,

"aaa authentication login default group tacacs+ local" should be "aaa authentication login default group TAC_PLUS local"

Thanks

John

**Please rate posts you find helpful**