Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1674
Views
0
Helpful
6
Replies

Catalyst 9300/embedded 9800 Enabling TACACS for GUI access

pinglis
Level 7
Level 7

‎03-16-2021 07:28 AM - edited ‎07-05-2021 01:23 PM

I am trying to enable TACACS for the web GUI access for a Catalyst 9300 with embedded 9800 controller. ISE is acting as the TACACS server. The switch is running 17.4.1 and the ISE 2.7.0356 (patch 2)

 

I've followed the guides but the switch is sending the TACACS requests with User Name of USERNAME

CLI authentication using TACACS is working without issue.

 

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎03-16-2021 07:49 AM

you should able to configure i guess not tried :

 

ip http authentication aaa

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-8/configuration_guide/sec/b_168_sec_9300_cg/configuring_tacacs.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

pinglis
Level 7
Level 7
In response to balaji.bandi

‎03-16-2021 07:59 AM

As stated everything is configured it is just sending the wrong User Name to the TACACS server (I see this in the TACACS server logs on the ISE)

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to pinglis

‎03-16-2021 08:35 AM

Can you post complete log and configuration for us to look what is wrong here ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

pinglis
Level 7
Level 7
In response to balaji.bandi

‎03-16-2021 09:04 AM

The TACACS config is below. 

 

aaa group server tacacs+ TacacsServers
server name TACACS1
server name TACACS2


aaa new-model
aaa group server tacacs+ TacacsServers
aaa authentication login default group TacacsServers local
aaa authentication login LoginCON group TacacsServers local
aaa authentication login LoginVTY group TacacsServers local
aaa authentication login GUILogin local group TacacsServers
aaa authentication enable default group TacacsServers enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group TacacsServers local if-authenticated
aaa authorization exec AuthExecCON group TacacsServers local if-authenticated
aaa authorization exec AuthExecVTY group TacacsServers local if-authenticated
aaa authorization exec AuthzExecGUI local group TacacsServers
aaa authorization commands 1 default local
aaa authorization commands 1 AuthCmdCON group TacacsServers local if-authenticated
aaa authorization commands 1 AuthCmdVTY group TacacsServers local if-authenticated
aaa authorization commands 15 default local
aaa authorization commands 15 AuthCmdCON group TacacsServers local if-authenticated
aaa authorization commands 15 AuthCmdVTY group TacacsServers local if-authenticated
aaa accounting update newinfo periodic 2880
aaa accounting exec default start-stop group TacacsServers
aaa accounting exec AcctExecCON start-stop group TacacsServers
aaa accounting exec AcctExecVTY start-stop group TacacsServers
aaa accounting commands 1 AcctCmdCON start-stop group TacacsServers
aaa accounting commands 1 AcctCmdVTY start-stop group TacacsServers
aaa accounting commands 15 AcctCmdCON start-stop group TacacsServers
aaa accounting commands 15 AcctCmdVTY start-stop group TacacsServers

no ip http server
ip http authentication aaa login-authentication GUILogin
ip http authentication aaa exec-authorization AuthzExecGUI
ip http secure-server
ip http secure-trustpoint switch-cert
ip http session-idle-timeout 1200
ip http client connection forceclose
ip http client source-interface Vlan90

ip tacacs source-interface Vlan96

 

As for logs I get nothing on the switch even with TACACS debug enabled and on the ISE it is just a failed authentication error because the username is invalid. USERNAME is actually one that we specifically capture and push to a none existent identity store to avoid unnecessary loading on the real authentication servers so the reported "error" is actual as expected. Here some of the attributes as reported in the log message:

 

TACACS Protocol
Authentication Action Login
Authentication Privilege Level 1
Authentication Type ASCII
Authentication Service Login

Other Attributes
...
UserName USERNAME
Protocol Tacacs
RequestLatency 3008
Type Authentication
NetworkDeviceProfileId xxxxxx
AuthenticationMethod PAP_ASCII
SelectedAccessService Default Device Admin
SelectedAuthenticationIdentityStores Blackhole

0 Helpful

Rich R
VIP
VIP
In response to pinglis

‎04-06-2021 10:23 AM - edited ‎04-06-2021 10:24 AM

This has already been answered a number of times on the communities which you could have found with a quick search.

https://community.cisco.com/t5/wireless/how-to-setup-aaa-to-define-gui-role-in-cisco-wireless-controller/m-p/4292546#M226417

https://community.cisco.com/t5/wireless/9800-cl-webgui-login-issue/td-p/4306140

 

Short answer: 9800 GUI does not support AAA authorization at the moment.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎04-06-2021 10:43 AM

I have TACACS working on my 9800-L and 9800-CL's but not using an embedded controller on a 9K, but what I see on yours is that you have a different method from cli and gui.  I don't see why you want to do that since you really want to use the same servers and priority.  You have local set to be used, is that what you want?  

aaa authentication login GUILogin local group TacacsServers

You should try the following or use the cli method:

aaa authentication login GUILogin group TacacsServers local

aaa authorization exec AuthzExecGUgroup TacacsServers local

You will only be able to use one or the other, so keep in mind that how you have yours, if local fails, it will not try tacacs.  if you change to tacacs then local, what will happen is that you will have to pass the tacacs policy and local will fail unless tacacs is not reachable.

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card