Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AAA on 2960G switch

I am trying to get a new 2960g to work with tacacs. After adding to the tacacs server and restarting the services I still do not get prompted for user name. What gives?

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login localport line

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec localport none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

tacacs-server host 192.xxx.xxx.xxx

tacacs-server directed-request

tacacs-server key 7 xxxxxxxxxxxxxxxxx

radius-server source-ports 1645-1646

  • AAA Identity and NAC
1 REPLY
Hall of Fame Super Silver

Re: AAA on 2960G switch

Joel

I see the aaa configuration includes the default method list and a localport method list. Can you clarify what uses the localport method list? make sure that your access attempts are not using this, since that would mean that they are using local authentication and not TACACS.

There are a couple of things to check which may help figure out the problem.

Can you verify connectivity from the 2960G to the TACACS server? It does not appear that you have specified the source address in the config, so you should determine which address the 2960G is using to get to the TACACS server and do an extended ping specifying the server as destination and specifying the source interface for the ping as whatever is the source for the TACACS packets.

Are the TACACS requests getting to the server? Can you check in the logs on the server and see if it recognizes the request? If you look in the failed attempts report do you see these requests? If so there should be an indication of why it failed. Common problems are requests coming from a source address different from what is configured for the device on the TACACS server or mismatched values for the shared key between the server and the device.

Please check on these and let us know what you find.

HTH

Rick

350
Views
0
Helpful
1
Replies
This widget could not be displayed.