Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10092
Views
0
Helpful
14
Replies

I am unable to login to the switch using TACACS+ login after adding aaa authorization network command

Go to solution
Nisha Prabath
Level 1
Level 1

‎10-01-2014 02:48 PM - edited ‎03-10-2019 10:04 PM

Hi

I am testing a switch for aaa authentication when it is not communicating to ISE, and i found a strange behavior. After i added the aaa authentication accounting and authorization commands and reloaded the switch i was not able to login to the switch with the TACACS login

The switch kept going in cycles showing the banner and then giving the authentication failed message 3 times and the cycle starts with the banner and authentication failed message

i removed the command aaa authorization network command and i was reloaded the switch and i was able to login successfully.

could someone help me with this problem.

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to saxenanitesh8522

‎10-05-2014 11:53 PM

Hi Nitesh-

That command (aaa authorization network...) has nothing to do with admin based authorization on the NAD (in this situation the switch). That command applies to network connections such as PPP, SLIP,, etc. 

In addition, aaa authorization can be performed by Radius and not only TACACS+. Radius is not as powerful and you cannot provide authorization command sets but you can still return different privilege levels and roles. 

Did you test the above configuration syntax? I did and it is working as expected!

 

Thank you for rating helpful posts!

View solution in original post

0 Helpful
14 Replies 14

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-01-2014 05:05 PM

Please attach your switch config. If you cannot attach the whole config then please post your:

1. AAA configurations

2. Line (AUX, Console) configurations

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
Nisha Prabath
Level 1
Level 1
In response to nspasov

‎10-02-2014 06:30 AM

I have pasted the AAA configuration and the line configuation for your reference.

 

aaa group server radius ISE-PSN-DOT1X
 server name TCI-ISE01
 server name TCI-ISE02
!
aaa authentication login default group tacacs+ local
aaa authentication dot1x default group ISE-PSN-DOT1X
aaa authorization network default group ISE-PSN-DOT1X
aaa authorization network auth-list group ISE-PSN-DOT1X
aaa authorization auth-proxy default group ISE-PSN-DOT1X
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ISE-PSN-DOT1X
aaa accounting dot1x default start-stop group ISE-PSN-DOT1X
aaa accounting system default start-stop group ISE-PSN-DOT1X


line con 0
line vty 0 4
 password 7
 length 0
 transport input telnet
line vty 5 15
 transport input telnet

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Nisha Prabath

‎10-02-2014 09:20 AM

Thanks! Also, can you post the "aaa authorization" command that breaks the process? The "aaa authentication" commands look ok. 

 

0 Helpful

Go to solution
Nisha Prabath
Level 1
Level 1
In response to nspasov

‎10-02-2014 10:15 AM

AAA authorization commands:

aaa authorization network default group ISE-PSN-DOT1X
aaa authorization network auth-list group ISE-PSN-DOT1X

After i removed the command 'aaa authorization network auth-list group ISE-PSN-DOT1X' from the switch and reloaded it, i was able to login successfully.

 

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Nisha Prabath

‎10-02-2014 10:46 AM

Hmm, those commands are related to network access and not associated with the authorization of your local device. I just tested the syntax in my lab and had no issues with it. So:

1. What version of code are you running on the network device?

2. What are you returning in the authorization profile in ISE?

0 Helpful

Go to solution
Nisha Prabath
Level 1
Level 1
In response to nspasov

‎10-02-2014 11:14 AM

This switch is not talking to the ISE. this is more of a fail-over test environment where ISE is not available

SW Version
------ ----- -----
15.0(2)SE4

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Nisha Prabath

‎10-02-2014 12:00 PM

I am guessing that it is a bug with that version of code...In my lab I am running 15.1.x code and have no issues. 

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
Nisha Prabath
Level 1
Level 1
In response to nspasov

‎10-02-2014 12:53 PM

Oh ok.

thank you for the help and support.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Nisha Prabath

‎10-02-2014 01:43 PM

No problem! Please come back and let us know if a code upgrade resolves your issue!

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
Nisha Prabath
Level 1
Level 1
In response to nspasov

‎10-02-2014 02:22 PM

Sure, will let you know once my issue gets resolved.

Thank you so much for the support!

0 Helpful

Go to solution
saxenanitesh8522
Level 4
Level 4
In response to Nisha Prabath

‎10-05-2014 11:44 PM

Hi

 

the command aaa authorization network default group ISE-PSN-DOT1X

points to radius it should been pointed to tacacs or removed if authorization is not required.

 

it is not a bug issue.

 

Thanks

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to saxenanitesh8522

‎10-05-2014 11:53 PM

Hi Nitesh-

That command (aaa authorization network...) has nothing to do with admin based authorization on the NAD (in this situation the switch). That command applies to network connections such as PPP, SLIP,, etc. 

In addition, aaa authorization can be performed by Radius and not only TACACS+. Radius is not as powerful and you cannot provide authorization command sets but you can still return different privilege levels and roles. 

Did you test the above configuration syntax? I did and it is working as expected!

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
Nisha Prabath
Level 1
Level 1
In response to nspasov

‎10-06-2014 06:55 AM

Hi Neno,

Yes you are correct. i was able to login to switch but it took a while to show the username and password prompt.

Thank you for the support.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Nisha Prabath

‎10-06-2014 09:11 AM

Thank you for confirming this Nisha and also thank you for the rating! I think the delay with the username/password showing is due to the switch trying to connect to your TACACS+ server. After that fails/timeouts then the username password shows up. 

0 Helpful
Customers Also Viewed These Support Documents