authentication problem with catalyst 2960 fresh boot when configure for AAA authentication

xine xine · ‎04-26-2010

Hi !

we had recently deployed AAA authentication for authenticate aministrative session on our telecom devices. I have noticed when a Catalyst 2960 switch as justed reload is't not possible to log to in if the switch is not able to communication with TACACS server. We have to wait 5 to 6 minute before able to authenticate.

Th tacacs-server timeout is at it's default value of 5 sec.... after the switch if the switch have a system uptime bigger then 6 minutes I have only to wait the timeout value to loggin in. If the system uptime is less then 5 minutes all authentication request failed....

we are using IOS version c2960-lanbasek9-tar.122-52.SE

is this issue have any solution, is it documented ?

Thanks !

Calvin Ryver · ‎04-26-2010

What does your config for AAA look like. One of my coworkers saw an issue with the same switch. I know he suggested a change in the config for aaa. It seemed like one of the commands was causing accounting to loop. I will check and see if he did file a bug on it

xine xine · ‎04-27-2010

Hi !

Here AAA configuration of our 2960 switches, all local defined user as been assign privilege level 15 to make authorization append locally for then all the time, authorisation for those user should never be done by TACACS/ACS server. This is work perfectly !

/**********************************************
!
enable secret 5 *********************************
!
username user_1 privilege 15 secret 5 *********************************
username user_2 privilege 15 secret 5 *********************************
username user_3 privilege 15 secret 5 *********************************
username user_4 privilege 15 secret 5 *********************************
username user_5 privilege 15 secret 5 *********************************
username user_6 privilege 15 secret 5 *********************************
username user_7 privilege 15 secret 5 *********************************
!
aaa new-model
aaa group server tacacs+ TACACS_SERVER
server TACACS_SERVER_IP
exit
!
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local group tacacs+
aaa authorization commands 0 default local group tacacs+
aaa authorization commands 1 default local group tacacs+
aaa authorization commands 15 default local group tacacs+
aaa authorization configuration default group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting session-duration ntp-adjusted
!
tacacs-server host TACACS_SERVER_IP key 7 *********************************************

Javier Henderson · ‎04-28-2010

As a troubleshooting step, please remove the following line from your configuration and retest:

aaa accounting system default start-stop group tacacs+

xine xine · ‎04-30-2010

Hi Javier,

without command "aaa accounting system default start-stop group tacacs+" we don't have the issue.... is it plan to solved this in the next IOS version ?? or if I have other command to add to my configuration to solved it ??

Calvin Ryver · ‎04-30-2010

this issue was reported in CSCsw79561 which showed as fixed

in 12.2(52)SE which is what you are running. If you are seeing the same issue

then we may have a side effect.