Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
0
Helpful
5
Replies

Configuration AAA on Cisco ASR 9001

Barthelemy Niokhor THIAW
Level 1
Level 1

‎02-26-2020 01:37 AM

Hello,

I need your help setting up tacacs + on a cisco ASR 9001.
After several configurations, authentication still does not work.

Below my config. Thank you for your support.

 

tacacs source-interface MgmtEth0/RSP0/CPU0/0 vrf management
tacacs-server host X.X.X.1 port 49
key 7 yyyyyyyyyy
!
tacacs-server host X.X.X.2 port 49
key 7 yyyyyyyyy
!
aaa accounting exec default start-stop group TACACSGRP none
aaa accounting system default start-stop group TACACSGRP none
aaa accounting commands default start-stop group TACACSGRP none
aaa group server tacacs+ TACACSGRP
vrf management
server-private X.X.X.1 port 49
key 7 yyyyyyyy
!
server-private X.X.X.2 port 49
key 7 yyyyyyyy
!
!
aaa authorization exec console local
aaa authorization exec default group TACACSGRP local
aaa authorization commands console none
aaa authorization commands default group TACACSGRP none
aaa authentication login console local
aaa authentication login default group TACACSGRP local

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎02-26-2020 03:18 AM

Hi,
I am not sure about the "server-privatec" command you are using there, I don't have access to my lab to test. The following works for me, try mirroring the command syntax below. I believe those "tacacs-server" commands will soon be depreciated anyway.

 

tacacs server ISE1
 address ipv4 192.168.10.10
 key Cisco1234
 timeout 10
tacacs server ISE2
 address ipv4 192.168.10.11
 key Cisco1234
 timeout 10

aaa group server tacacs+ TACACSGRP
server name ISE1
server name ISE2

Other than that the configuration appears to be ok

 

HTH

0 Helpful

Barthelemy Niokhor THIAW
Level 1
Level 1
In response to Rob Ingram

‎02-26-2020 06:35 AM

Hi RJI,

I have an error when i try to test your configuration.

see below :

 

RP/0/RSP0/CPU0:ASR-01(config)#tacacs-server ISE1
                                                                                        ^
% Invalid input detected at '^' marker.
RP/0/RSP0/CPU0:ASR-01(config)#tacacs ?
source-interface Specify interface for source address in TACACS+ packets
RP/0/RSP0/CPU0:ASR-01(config)#tacacs-server ?
host Specify a TACACS+ server
ipv4 Mark the dscp bit for ipv4 packets
ipv6 Mark the dscp bit for ipv6 packets
key Set TACACS+ encryption key
timeout Time to wait for a TACACS server to reply

0 Helpful

Rob Ingram
VIP
VIP
In response to Barthelemy Niokhor THIAW

‎02-26-2020 06:55 AM

It's "tacacs server ISE1" not "tacacs-server", no "-" between tacacs and server.

HTH
0 Helpful

Barthelemy Niokhor THIAW
Level 1
Level 1
In response to Rob Ingram

‎02-26-2020 07:38 AM

After tacacs (without "-") we have just one option to specify the source-interface

 

RP/0/RSP0/CPU0:ASR-01(config)#tacacs ?
source-interface Specify interface for source address in TACACS+ packets

0 Helpful

Rob Ingram
VIP
VIP
In response to Barthelemy Niokhor THIAW

‎02-26-2020 07:51 AM

Ok, sorry looking closer, I see that in your output now.
If you replace "server-private" with "server X.X.X.1 port 49" does that work?
What is the output of "show tacacs" does it show the tacacs servers as active?
Does the TACACS server even receive the packets?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents