10-01-2014 02:48 PM - edited 03-10-2019 10:04 PM
Hi
I am testing a switch for aaa authentication when it is not communicating to ISE, and i found a strange behavior. After i added the aaa authentication accounting and authorization commands and reloaded the switch i was not able to login to the switch with the TACACS login
The switch kept going in cycles showing the banner and then giving the authentication failed message 3 times and the cycle starts with the banner and authentication failed message
i removed the command aaa authorization network command and i was reloaded the switch and i was able to login successfully.
could someone help me with this problem.
Solved! Go to Solution.
10-05-2014 11:53 PM
Hi Nitesh-
That command (aaa authorization network...) has nothing to do with admin based authorization on the NAD (in this situation the switch). That command applies to network connections such as PPP, SLIP,, etc.
In addition, aaa authorization can be performed by Radius and not only TACACS+. Radius is not as powerful and you cannot provide authorization command sets but you can still return different privilege levels and roles.
Did you test the above configuration syntax? I did and it is working as expected!
Thank you for rating helpful posts!
10-01-2014 05:05 PM
Please attach your switch config. If you cannot attach the whole config then please post your:
1. AAA configurations
2. Line (AUX, Console) configurations
Thank you for rating helpful posts!
10-02-2014 06:30 AM
I have pasted the AAA configuration and the line configuation for your reference.
aaa group server radius ISE-PSN-DOT1X
server name TCI-ISE01
server name TCI-ISE02
!
aaa authentication login default group tacacs+ local
aaa authentication dot1x default group ISE-PSN-DOT1X
aaa authorization network default group ISE-PSN-DOT1X
aaa authorization network auth-list group ISE-PSN-DOT1X
aaa authorization auth-proxy default group ISE-PSN-DOT1X
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group ISE-PSN-DOT1X
aaa accounting dot1x default start-stop group ISE-PSN-DOT1X
aaa accounting system default start-stop group ISE-PSN-DOT1X
line con 0
line vty 0 4
password 7
length 0
transport input telnet
line vty 5 15
transport input telnet
10-02-2014 09:20 AM
Thanks! Also, can you post the "aaa authorization" command that breaks the process? The "aaa authentication" commands look ok.
10-02-2014 10:15 AM
AAA authorization commands:
aaa authorization network default group ISE-PSN-DOT1X
aaa authorization network auth-list group ISE-PSN-DOT1X
After i removed the command 'aaa authorization network auth-list group ISE-PSN-DOT1X' from the switch and reloaded it, i was able to login successfully.
10-02-2014 10:46 AM
Hmm, those commands are related to network access and not associated with the authorization of your local device. I just tested the syntax in my lab and had no issues with it. So:
1. What version of code are you running on the network device?
2. What are you returning in the authorization profile in ISE?
10-02-2014 11:14 AM
This switch is not talking to the ISE. this is more of a fail-over test environment where ISE is not available
SW Version
------ ----- -----
15.0(2)SE4
10-02-2014 12:00 PM
I am guessing that it is a bug with that version of code...In my lab I am running 15.1.x code and have no issues.
Thank you for rating helpful posts!
10-02-2014 12:53 PM
Oh ok.
thank you for the help and support.
10-02-2014 01:43 PM
No problem! Please come back and let us know if a code upgrade resolves your issue!
Thank you for rating helpful posts!
10-02-2014 02:22 PM
Sure, will let you know once my issue gets resolved.
Thank you so much for the support!
10-05-2014 11:44 PM
Hi
the command aaa authorization network default group ISE-PSN-DOT1X
points to radius it should been pointed to tacacs or removed if authorization is not required.
it is not a bug issue.
Thanks
10-05-2014 11:53 PM
Hi Nitesh-
That command (aaa authorization network...) has nothing to do with admin based authorization on the NAD (in this situation the switch). That command applies to network connections such as PPP, SLIP,, etc.
In addition, aaa authorization can be performed by Radius and not only TACACS+. Radius is not as powerful and you cannot provide authorization command sets but you can still return different privilege levels and roles.
Did you test the above configuration syntax? I did and it is working as expected!
Thank you for rating helpful posts!
10-06-2014 06:55 AM
Hi Neno,
Yes you are correct. i was able to login to switch but it took a while to show the username and password prompt.
Thank you for the support.
10-06-2014 09:11 AM
Thank you for confirming this Nisha and also thank you for the rating! I think the delay with the username/password showing is due to the switch trying to connect to your TACACS+ server. After that fails/timeouts then the username password shows up.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide