Tacacs login failed to go local when tacacs deamon stop

Unanswered Question
May 24th, 2008

Hi all,

I am experiencing a strange issue with tacacs authentication. Here are related commands for tacacs on the switch.

===========

aaa new-model

aaa authentication login default local-case enable

aaa authentication login aaa group tacacs+ local-case

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

!

tacacs-server host 10.0.0.1

tacacs-server host 1.0.0.1

tacacs-server host 1.0.0.0

tacacs-server directed-request

tacacs-server key aaakey

radius-server source-ports 1645-1646

!

line con 0

login authentication aaa

line vty 0 4

login authentication aaa

========

The problem is every time when the tacacs-server's daemon (10.0.0.1) stops respond or memory corruption in the server. My tacacs login is not longer work. I tried with local-case but still got “Permission denied, please try again.” Message. And this also applies to console. I wonder why tacacs does not follow to next tacacs-server nor use local-case?

Any suggestions or opinions are appreciated.

Thanks,

J

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Sat, 05/24/2008 - 18:22

J

I wonder in your config about the configuration of the backup servers. 1.0.0.1 is an odd host address. Is this a valid host address in your network? And 1.0.0.0 would surely seem like an invalid host address in any network. Are you sure that these are valid host addresses for servers?

I wonder whether the problem is an authentication error or if it might be an authorization error. If you would run debug aaa authentication, debug aaa authorization, debug tacacs authentication, and debug tacacs authorization it might shed light on what the problem really is.

HTH

Rick

jayshihlin Sat, 05/24/2008 - 20:40

Hi Rick,

Thanks for promptly reply. No, those ip are not valid ip for the tacacs server ip. I made those up for posting here. 1.0.0.0 was a typo... The server is working fine now and I do not have problem authenticate. I will run those debugs and post here as soon as I can.

Thanks!

J

Richard Burts Mon, 05/26/2008 - 20:05

J

If the server is working fine and you do not have problems authenticating then there is no real purpose in running the debugs. They would have been helpful in finding the problem. But if there is no problem then there is little reason to run debug.

HTH

Rick

cisco24x7 Tue, 05/27/2008 - 04:05

The issue has to do with authorization. Try

this and it will work:

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

Actions

This Discussion