05-24-2008 03:19 PM - edited 03-10-2019 03:52 PM
Hi all,
I am experiencing a strange issue with tacacs authentication. Here are related commands for tacacs on the switch.
===========
aaa new-model
aaa authentication login default local-case enable
aaa authentication login aaa group tacacs+ local-case
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
!
tacacs-server host 10.0.0.1
tacacs-server host 1.0.0.1
tacacs-server host 1.0.0.0
tacacs-server directed-request
tacacs-server key aaakey
radius-server source-ports 1645-1646
!
line con 0
login authentication aaa
line vty 0 4
login authentication aaa
========
The problem is every time when the tacacs-server's daemon (10.0.0.1) stops respond or memory corruption in the server. My tacacs login is not longer work. I tried with local-case but still got âPermission denied, please try again.â Message. And this also applies to console. I wonder why tacacs does not follow to next tacacs-server nor use local-case?
Any suggestions or opinions are appreciated.
Thanks,
J
05-24-2008 06:22 PM
J
I wonder in your config about the configuration of the backup servers. 1.0.0.1 is an odd host address. Is this a valid host address in your network? And 1.0.0.0 would surely seem like an invalid host address in any network. Are you sure that these are valid host addresses for servers?
I wonder whether the problem is an authentication error or if it might be an authorization error. If you would run debug aaa authentication, debug aaa authorization, debug tacacs authentication, and debug tacacs authorization it might shed light on what the problem really is.
HTH
Rick
05-24-2008 08:40 PM
Hi Rick,
Thanks for promptly reply. No, those ip are not valid ip for the tacacs server ip. I made those up for posting here. 1.0.0.0 was a typo... The server is working fine now and I do not have problem authenticate. I will run those debugs and post here as soon as I can.
Thanks!
J
05-26-2008 08:05 PM
J
If the server is working fine and you do not have problems authenticating then there is no real purpose in running the debugs. They would have been helpful in finding the problem. But if there is no problem then there is little reason to run debug.
HTH
Rick
05-27-2008 04:05 AM
The issue has to do with authorization. Try
this and it will work:
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: