Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
0
Helpful
1
Replies

AAA on 2960G switch

pannick
Level 1
Level 1

‎06-12-2006 11:28 AM - edited ‎03-10-2019 02:37 PM

I am trying to get a new 2960g to work with tacacs. After adding to the tacacs server and restarting the services I still do not get prompted for user name. What gives?

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login localport line

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec localport none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

tacacs-server host 192.xxx.xxx.xxx

tacacs-server directed-request

tacacs-server key 7 xxxxxxxxxxxxxxxxx

radius-server source-ports 1645-1646

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎06-12-2006 01:21 PM

Joel

I see the aaa configuration includes the default method list and a localport method list. Can you clarify what uses the localport method list? make sure that your access attempts are not using this, since that would mean that they are using local authentication and not TACACS.

There are a couple of things to check which may help figure out the problem.

Can you verify connectivity from the 2960G to the TACACS server? It does not appear that you have specified the source address in the config, so you should determine which address the 2960G is using to get to the TACACS server and do an extended ping specifying the server as destination and specifying the source interface for the ping as whatever is the source for the TACACS packets.

Are the TACACS requests getting to the server? Can you check in the logs on the server and see if it recognizes the request? If you look in the failed attempts report do you see these requests? If so there should be an indication of why it failed. Common problems are requests coming from a source address different from what is configured for the device on the TACACS server or mismatched values for the shared key between the server and the device.

Please check on these and let us know what you find.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents