cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
799
Views
0
Helpful
3
Replies

AAA and 6513/4510R

Wantser1981_2
Level 1
Level 1

Hi,

Having a little trouble getting AAA working on our core switches.

I have rolled the following config lines out to the rest of our network, but this doesnt work (although it is accepted) on the 6513's and 4510R's. I am missing something?

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 2 default start-stop group tacacs+

aaa accounting commands 3 default start-stop group tacacs+

aaa accounting commands 4 default start-stop group tacacs+

aaa accounting commands 5 default start-stop group tacacs+

aaa accounting commands 6 default start-stop group tacacs+

aaa accounting commands 7 default start-stop group tacacs+

aaa accounting commands 8 default start-stop group tacacs+

aaa accounting commands 9 default start-stop group tacacs+

aaa accounting commands 10 default start-stop group tacacs+

aaa accounting commands 11 default start-stop group tacacs+

aaa accounting commands 12 default start-stop group tacacs+

aaa accounting commands 13 default start-stop group tacacs+

aaa accounting commands 14 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key **********

tacacs-server administration

line vty 0 4

login auth default

Any help greatly appriciated.

Andy

1 Accepted Solution

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

Andy

I do not see any obvious issues with the configuration. If you could provide us with some additional information to better define "not working" it would be quite helpful. Are requests getting to the TACACS server? If so, are there entries in the failed attempts report? If so they probably have an error code that will help to define what is the problem.

If requests are not getting to the TACACS server then there are some things to check:

- is the server address correctly configured?

- do you have IP connectivity from the switches to the server? (easy check is can you ping?)

- is it possible that the server is configured to expect one address as the source address of the authentication request and the switch is using a different address? (the solution for that is to use the command: ip tacacs source-interface)

- is it possible that some router or firewall along the path is not forwarding the authentication request?

HTH

Rick

HTH

Rick

View solution in original post

3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

Andy

I do not see any obvious issues with the configuration. If you could provide us with some additional information to better define "not working" it would be quite helpful. Are requests getting to the TACACS server? If so, are there entries in the failed attempts report? If so they probably have an error code that will help to define what is the problem.

If requests are not getting to the TACACS server then there are some things to check:

- is the server address correctly configured?

- do you have IP connectivity from the switches to the server? (easy check is can you ping?)

- is it possible that the server is configured to expect one address as the source address of the authentication request and the switch is using a different address? (the solution for that is to use the command: ip tacacs source-interface)

- is it possible that some router or firewall along the path is not forwarding the authentication request?

HTH

Rick

HTH

Rick

Hmm, not working isnt very helpful is it!

Appologies. However you have solved my issue without any extra info. Source interface was not set! D'oh.

Many thanks

Andy

Andy

I am glad that my answer was able to point you to the solution. Not specifying the source interface is an easy thing to overlook and a fairly common problem.

Thank you for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read a problem and can know that there was a response which did resolve the problem.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco