Solved: On 3750 AAA sever address is dropped after restart sometimes.

Ryan Snyder · ‎01-21-2013

We have Cisco 3750G switches and have them setup to use Cisco ACS 5.2.0.26.5. Some switches after they are restarted and we know that the config is saved the server address for the AAA authentication is dropped. We are running IOS c3750-ipbasek9-mz.122-40.SE. I have started to upgrade switches to c3750-ipbasek9-mz.122-50.SE5 to fix an issue with reporting high drops in Solarwinds. I have not thus far seen any problems with the new vesion but have only been running it for a few days. Any help on this would be great.

minkumar · ‎01-21-2013

Hi Ryan,

Looks like you are hitting the following bug:

https://cdetsng.cisco.com/webui/#view=CSCsm21320

which is fixed in 12.2 50.

Let me know if you have further questions:

Regards

Minakshi (Rate the helpful posts)

View solution in original post

minkumar · ‎01-21-2013

Hi Ryan,

Can you give me some mroe information as in what exactly happens when you reboot/restart the device. Do you mean that you get the prompt for authentication through tacacs, However the authentication fails or you donot get prompted for username and password at all.

Regards

Minakshi (Do rate the helpful posts)

Ryan Snyder · ‎01-21-2013

In our config we use the following.

aaa new-model

aaa group server tacacs+ NAME

server 10..x.x.x < ---- This is dropped on restart sometimes

ip tacacs source-interface Vlan1

aaa authentication login NAME group NAME local

aaa authentication login CONSOLE local

aaa authorization console

aaa authorization config-commands

aaa authorization exec NAME group NAME local if-authenticated

aaa authorization exec NAME local if-authenticated

aaa authorization commands 2 NAME group NAME if-authenticated

aaa authorization commands 15 NAME group NAME if-authenticated

aaa accounting commands 2 default start-stop group NAME

aaa accounting commands 15 default start-stop group NAME

When this is dropped the switches then just use local authentication. I have no idea why this happens. It is annoying, and my boss has no patience for this. He hates that i have the authentication run therough Active Directory. I think he likes to have 10 different passwords.

minkumar · ‎01-21-2013

Hi Ryan,

Do you get the prompt for username and password , when you reboot the switch? If yes, after typing the user credentails, if the authentication fails, what error message do you get on the tacacs server?

Ryan Snyder · ‎01-21-2013

We are running ssh so when we type in our AD account that should authenticate it reprompts for a password. Because the server line is missing it is looking for the local account on the switch not in ACS. I don't believe at that time it is even hitting the server since it doesn't have address in the config. We have to use local switch credentials to add the server address then it start to work again.

Ryan

minkumar · ‎01-21-2013

Hi Ryan,

Looks like you are hitting the following bug:

https://cdetsng.cisco.com/webui/#view=CSCsm21320

which is fixed in 12.2 50.

Let me know if you have further questions:

Regards

Minakshi (Rate the helpful posts)

Ryan Snyder · ‎01-21-2013

That is what i assumed. We are in the process of upgrading everything to 122-50.SE5. Thanks for the help.