05-09-2008 06:29 AM - edited 03-10-2019 03:50 PM
I am having problems getting TACACS+ AAA working with my 3560 switches. I have set up users, groups, and NDG on ACS SE as per the CS ACS course material and have triple checked my keys to make sure they match. I have attached debug from switch for authentication, authorization and tacacs+. Can someone please tell me what I am doing wrong?
Solved! Go to Solution.
05-17-2008 04:54 AM
Ohh, so its SE that is not working.
Do this, ACS--->Network configuration====>Proxy Dis table--->Click on default====> If you see delivenrance 1 in aaa server----> Drag it to "Forward to" --->And whatever is there under forward to --->Drag it to aaa-server-->submit+apply.
It should work now.
If you don't see proxy distribution option then go to acs--->interface configuration----->advanced option ---->enable distributed table.
Regards,
~JG
05-09-2008 06:36 AM
This seems to be a key mismatch. Please note that if you have NDG key also configured that can cause key mismatch.
Imp: NDG key overwrites aaa-client key.
Please use the same key for NDG and client or simply remove the NDG key.
Regards,
~JG
Do rate helpful posts
05-09-2008 07:31 AM
I did match all the keys, but just tried deleting the NDG key and retest and got the same results. Switch comes back with % Backup authentication.
Also note that in the failed attempts report, I can change the keys, so they don't match, and get an Authentication Failed key mismatch entry in the report. When the keys match there is no entry in the failed attempts report and no entry in the passed authentications report. Tacacs+ accounting report shows an entry for the username I am using and shows start acct flag and service shell.
05-09-2008 07:48 AM
In layer 3 devices, other then normal aaa commands, we also need to define tacacs source interface so that it uses only that interface for sending tacacs request to acs.
AAA-Switch(config)#ip tacacs source-interface (vlan or loopback or gigabit interface)
In above command we need to define the interface that is listed in acs--->network configuration--->Router.
Regards,
~JG
05-09-2008 08:19 AM
Here is the config I have on the switch. (sorry should have sent this already).
aaa new-model
aaa authentication login default group tacacs+ none
aaa authentication login no_aaa none
aaa authorization exec default group tacacs+ none
aaa authorization exec no_aaa none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization commands 15 no_aaa none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
!
interface VLAN1
ip address 10.200.1.16 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
ip tacacs source-interface VLAN1
!
tacacs-server host 10.200.35.250
tacacs-server key cisco
!
line con 0
authorization commands 15 no_aaa
authorization exec no_aaa
login authentication no_aaa
transport input none
stopbits 1
line vty 5 15
!
05-15-2008 05:49 AM
Any other ideas?
As a test, I set up a Windows server and installed ACS 4.1(2) Build 23 on it. Put same config as on SE and it works. I have checked the config on both the Windows and the SE and they are the same from what I can tell.
Please help!!
05-15-2008 07:28 AM
Do you have dual NIC on acs windows ?
Regards,
~JG
05-16-2008 03:33 AM
Yes, but I am only using one. We have fully tested Radius and Tacacs+ on the Windows ACS and everything is working perfectly. Can't figure out why the SE's will not.
05-17-2008 04:54 AM
Ohh, so its SE that is not working.
Do this, ACS--->Network configuration====>Proxy Dis table--->Click on default====> If you see delivenrance 1 in aaa server----> Drag it to "Forward to" --->And whatever is there under forward to --->Drag it to aaa-server-->submit+apply.
It should work now.
If you don't see proxy distribution option then go to acs--->interface configuration----->advanced option ---->enable distributed table.
Regards,
~JG
05-19-2008 04:05 AM
That did it!!
Thank you!
Darren
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: