cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1719
Views
0
Helpful
18
Replies

Secure ACS

itssnsu07
Level 1
Level 1

We have deployed Secure ACSv4.1 and made the required configuration change on the switches. All Access layer switches work perfect but the Distribution and Core swtcihes (4506 and 4507) are not being authenticated using the ACS.

the configuration i made on the switches is :

-=-=-=-=-=

1. Configure AAA Authentication

1. Create Local Administrative Accounts

2. Specify one or more TACACS+ servers.

3. Specify the TACACS+ key.

4. Specify the TACACS+ timeout interval. (Def= 5sec)

5. Configure Authentication option

# aaa new-model

# aaa authentication login default group tacacs+ local

# aaa authentication enable default group tacacs+ line

2. Configure AAA Accounting

# aaa accounting system default start-stop group tacacs+

# aaa accounting exec default start-stop group tacacs+

# aaa accounting commands 0 default start-stop group tacacs+

# aaa accounting commands 15 default start-stop group tacacs+

# aaa accounting network default start-stop group tacacs+

-=-=-=-=

do i need additional configuration on 4506/4507 switches ?

Thanks!

ET.

18 Replies 18

Collin Clark
VIP Alumni
VIP Alumni

Did you check your ACS logs? On devices with multiple interfaces, its useful to source TACACS from a loopback for consistency and ease of management.

Router(config)# ip tacacs source loopback0

I also assume you have the correct login method under your VTYs.

Hope that helps.

Thank you very much, yes i tried to look in to the logs but couldn't see any......

i now tried putting

conf t # ip tacacs source-interface Loopback0

but it is the same thing.......

what else shall i check?

Thank you so much!

I believe the TACACS server is not able to communicate with the switch IP.

Are you able to ping the TACACs server from the switch ?

The tacacs source interface should be the interface via which the server is reachable.

And also put this interface IP while configuring the AAA client on the TACACS server.

Thanks for the quick reply!

yes TACACS server can be reached from the switch. and show tacacs displays

Socket opens: 96

Socket closes: 96

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 3

Total Packets Sent: 96

Total Packets Recv: 0

am using the same TACACS server for all the switches and don't have any problem with the access layer switches. on the distribution and core switches that i am facing problem now, can be reached using diffrent IP addresses configured to be accessed from diffent VLAN segments.. Will that cause a problem?

thanks again!

Check your ACS logs under Failed Attempts, there should be some failures in there with a reason.

there is no entry regarding the swiches in the failed attempt. i see failed attempts about the other Access layer switches.

BTW, these are Distribution and Core switches having more than one interface IP.

Thank You again!

ET.

what interface(s) are you permitting in ACS? ALl the distribution and core interfaces? Just the loopback?

We didn't configure interface IP on the loopback, on the ACS the Interface VLAN1 IP as well as standby IP used with HSRP is specified.

Thanks!

ET

OK, on the switch try this-

Router(config)# ip tacacs source interface vlan 1

You can remove the loopback command I asked you to enter earlier. Let us know what happens!

Router(config)#no ip tacacs source loopback0

Thank You Again,

i did make the change on two set of switches which are HSRP configured, on both pair, it works only on one switch. that is from HSRP configured set only one switch is being authenticated by the ACS. what additional change do i need to make?

BY the Way,

what i tested on another switch is i entered all interface IP on the ACS and it is working but on these two distribution switches i do have more than 30 interfaces which is difficult to manually enter on the ACS.

Thank You again and regards,

ET

You need to source TACACS from an interface. Best practices is from a loopback, because it's always up and reachable. You then enter the loopback address in ACS. If you do that, you can access your distro and core switches.

Thank You for time Collin,

the problem in our case is we have not assigned IP to the loopback. IP is assigned to the interface VLANs which on Distribution switches are a lot.

the odd thing that i noticed is that, i applied the configuration you recommended, " ip tacacs source-interface Vlan1", on two redundant switches using HSRP(i.e. four switches),of which one switch from each pair is being successfully authenticated by ACS. the other two with same configuration still have problem authenticating through the ACS.

What do you say, is my only option to enter the list of interface VLAN IPs that is more than 30 on the ACS ?

Thank You again and Regards,

ET

If you source from VLAN 1 and you have three address (one on each switch and the virtual), put all three in ACS. In the long run it will be easier to design and deploy a management network utilizing loopbacks.

Yes i have put all the three addresses on the ACS , but one switch authenticates through the ACS the other doesn't. even the virtual address doesn't authenticate through ACS.

Thanks again!

ET.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco