cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
974
Views
0
Helpful
5
Replies

Configuration AAA on Cisco ASR 9001

Hello,

I need your help setting up tacacs + on a cisco ASR 9001.
After several configurations, authentication still does not work.

Below my config. Thank you for your support.

 

tacacs source-interface MgmtEth0/RSP0/CPU0/0 vrf management
tacacs-server host X.X.X.1 port 49
key 7 yyyyyyyyyy
!
tacacs-server host X.X.X.2 port 49
key 7 yyyyyyyyy
!
aaa accounting exec default start-stop group TACACSGRP none
aaa accounting system default start-stop group TACACSGRP none
aaa accounting commands default start-stop group TACACSGRP none
aaa group server tacacs+ TACACSGRP
vrf management
server-private X.X.X.1 port 49
key 7 yyyyyyyy
!
server-private X.X.X.2 port 49
key 7 yyyyyyyy
!
!
aaa authorization exec console local
aaa authorization exec default group TACACSGRP local
aaa authorization commands console none
aaa authorization commands default group TACACSGRP none
aaa authentication login console local
aaa authentication login default group TACACSGRP local

5 Replies 5

Hi,
I am not sure about the "server-privatec" command you are using there, I don't have access to my lab to test. The following works for me, try mirroring the command syntax below. I believe those "tacacs-server" commands will soon be depreciated anyway.

 

tacacs server ISE1
address ipv4 192.168.10.10
key Cisco1234
timeout 10
tacacs server ISE2
address ipv4 192.168.10.11
key Cisco1234
timeout 10

aaa group server tacacs+ TACACSGRP
server name ISE1
server name ISE2

Other than that the configuration appears to be ok

 

HTH

Hi RJI,

I have an error when i try to test your configuration.

see below :

 

RP/0/RSP0/CPU0:ASR-01(config)#tacacs-server ISE1
                                                                                        ^
% Invalid input detected at '^' marker.
RP/0/RSP0/CPU0:ASR-01(config)#tacacs ?
source-interface Specify interface for source address in TACACS+ packets
RP/0/RSP0/CPU0:ASR-01(config)#tacacs-server ?
host Specify a TACACS+ server
ipv4 Mark the dscp bit for ipv4 packets
ipv6 Mark the dscp bit for ipv6 packets
key Set TACACS+ encryption key
timeout Time to wait for a TACACS server to reply

It's "tacacs server ISE1" not "tacacs-server", no "-" between tacacs and server.

HTH

After tacacs (without "-") we have just one option to specify the source-interface

 

RP/0/RSP0/CPU0:ASR-01(config)#tacacs ?
source-interface Specify interface for source address in TACACS+ packets

Ok, sorry looking closer, I see that in your output now.
If you replace "server-private" with "server X.X.X.1 port 49" does that work?
What is the output of "show tacacs" does it show the tacacs servers as active?
Does the TACACS server even receive the packets?