05-12-2008 01:02 AM
Hi,
Having a little trouble getting AAA working on our core switches.
I have rolled the following config lines out to the rest of our network, but this doesnt work (although it is accepted) on the 6513's and 4510R's. I am missing something?
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 2 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 4 default start-stop group tacacs+
aaa accounting commands 5 default start-stop group tacacs+
aaa accounting commands 6 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 8 default start-stop group tacacs+
aaa accounting commands 9 default start-stop group tacacs+
aaa accounting commands 10 default start-stop group tacacs+
aaa accounting commands 11 default start-stop group tacacs+
aaa accounting commands 12 default start-stop group tacacs+
aaa accounting commands 13 default start-stop group tacacs+
aaa accounting commands 14 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key **********
tacacs-server administration
line vty 0 4
login auth default
Any help greatly appriciated.
Andy
Solved! Go to Solution.
05-12-2008 02:58 AM
Andy
I do not see any obvious issues with the configuration. If you could provide us with some additional information to better define "not working" it would be quite helpful. Are requests getting to the TACACS server? If so, are there entries in the failed attempts report? If so they probably have an error code that will help to define what is the problem.
If requests are not getting to the TACACS server then there are some things to check:
- is the server address correctly configured?
- do you have IP connectivity from the switches to the server? (easy check is can you ping?)
- is it possible that the server is configured to expect one address as the source address of the authentication request and the switch is using a different address? (the solution for that is to use the command: ip tacacs source-interface)
- is it possible that some router or firewall along the path is not forwarding the authentication request?
HTH
Rick
05-12-2008 02:58 AM
Andy
I do not see any obvious issues with the configuration. If you could provide us with some additional information to better define "not working" it would be quite helpful. Are requests getting to the TACACS server? If so, are there entries in the failed attempts report? If so they probably have an error code that will help to define what is the problem.
If requests are not getting to the TACACS server then there are some things to check:
- is the server address correctly configured?
- do you have IP connectivity from the switches to the server? (easy check is can you ping?)
- is it possible that the server is configured to expect one address as the source address of the authentication request and the switch is using a different address? (the solution for that is to use the command: ip tacacs source-interface)
- is it possible that some router or firewall along the path is not forwarding the authentication request?
HTH
Rick
05-12-2008 03:24 AM
Hmm, not working isnt very helpful is it!
Appologies. However you have solved my issue without any extra info. Source interface was not set! D'oh.
Many thanks
Andy
05-12-2008 03:50 AM
Andy
I am glad that my answer was able to point you to the solution. Not specifying the source interface is an easy thing to overlook and a fairly common problem.
Thank you for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read a problem and can know that there was a response which did resolve the problem.
The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: