Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Tacacs login failed to go local when tacacs deamon stop

Hi all,

I am experiencing a strange issue with tacacs authentication. Here are related commands for tacacs on the switch.

===========

aaa new-model

aaa authentication login default local-case enable

aaa authentication login aaa group tacacs+ local-case

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

!

tacacs-server host 10.0.0.1

tacacs-server host 1.0.0.1

tacacs-server host 1.0.0.0

tacacs-server directed-request

tacacs-server key aaakey

radius-server source-ports 1645-1646

!

line con 0

login authentication aaa

line vty 0 4

login authentication aaa

========

The problem is every time when the tacacs-server's daemon (10.0.0.1) stops respond or memory corruption in the server. My tacacs login is not longer work. I tried with local-case but still got “Permission denied, please try again.” Message. And this also applies to console. I wonder why tacacs does not follow to next tacacs-server nor use local-case?

Any suggestions or opinions are appreciated.

Thanks,

J

4 REPLIES
Hall of Fame Super Silver

Re: Tacacs login failed to go local when tacacs deamon stop

J

I wonder in your config about the configuration of the backup servers. 1.0.0.1 is an odd host address. Is this a valid host address in your network? And 1.0.0.0 would surely seem like an invalid host address in any network. Are you sure that these are valid host addresses for servers?

I wonder whether the problem is an authentication error or if it might be an authorization error. If you would run debug aaa authentication, debug aaa authorization, debug tacacs authentication, and debug tacacs authorization it might shed light on what the problem really is.

HTH

Rick

New Member

Re: Tacacs login failed to go local when tacacs deamon stop

Hi Rick,

Thanks for promptly reply. No, those ip are not valid ip for the tacacs server ip. I made those up for posting here. 1.0.0.0 was a typo... The server is working fine now and I do not have problem authenticate. I will run those debugs and post here as soon as I can.

Thanks!

J

Hall of Fame Super Silver

Re: Tacacs login failed to go local when tacacs deamon stop

J

If the server is working fine and you do not have problems authenticating then there is no real purpose in running the debugs. They would have been helpful in finding the problem. But if there is no problem then there is little reason to run debug.

HTH

Rick

Silver

Re: Tacacs login failed to go local when tacacs deamon stop

The issue has to do with authorization. Try

this and it will work:

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

312
Views
0
Helpful
4
Replies
CreatePlease to create content