Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

TACACS not working - Need help

Hi,

I have implemented the TACACS in VPN VRF environment but the same is not working, I am not able to route the ACS servers IP's through the VRF-VPN.

Configuration pasted below

aaa authentication login default group tacacs+ line

aaa authentication login no_tacacs line

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

ip tacacs source-interface VLAN1

tacacs-server host X.X.X.X

tacacs-server host 10.10.10.4

tacacs-server key 7 ####################333

tacacs-server administration

aaa group server tacacs+ tacacs1

server-private 10.10.10.4 key ############

ip vrf forwarding LAN

ip tacacs source-interface VLAN1

5 REPLIES

Re: TACACS not working - Need help

I believe there is a known issue with this setup and you might need to enter into server mode and then define the vrf forwarding interface something like this:

aaa group server tacacs+ TEST

server X.X.X.X

ip vrf forwarding LAN

!

New Member

Re: TACACS not working - Need help

Hi,

Thanks you so much for your mail,

I have tried with this but still I am not able make it success

aaa group server tacacs+ tacacs1

server 10.10.10.14

server 10.10.10.45

ip vrf forwarding LAN

ip tacacs source-interface Vlan1

It showing authorisation failed when I try a new VTY session.

Re: TACACS not working - Need help

You might need to get some debugs on this box as well as the failed logs from your TACACS server.

New Member

Re: TACACS not working - Need help

Hi sorry for late reply.

Please find below the logs from the router

Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): free_rec, count 2

Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): Setting session id 283 : db=846968EC

Feb 12 14:10:28.748: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)

Feb 12 14:10:35.450: AAA/BIND(000000BA): Bind i/f

Feb 12 14:10:35.450: AAA/ACCT/EVENT/(000000BA): CALL START

Feb 12 14:10:35.450: Getting session id for NET(000000BA) : db=83E3E3B0

Feb 12 14:10:35.450: AAA/ACCT(00000000): add node, session 284

Feb 12 14:10:35.450: AAA/ACCT/NET(000000BA): add, count 1

Feb 12 14:10:35.450: Getting session id for NONE(000000BA) : db=83E3E3B0

Feb 12 14:10:36.014: AAA/AUTHEN/LOGIN (000000BA): Pick method list 'default'

Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): STOP protocol reply FAIL

Feb 12 14:10:38.749: AAA/ACCT(000000B9): Accouting method=NOT_SET

Feb 12 14:10:38.749: AAA/ACCT(000000B9): Send STOP accounting notification to EM successfully

Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): Tried all the methods, osr 0

Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) Record not present

Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) reccnt 2, csr FALSE, osr 0

Feb 12 14:10:46.011: AAA/AUTHEN/LINE(000000BA): GET_PASSWORD

Feb 12 14:11:14.326: AAA/AUTHOR: config command authorization not enabled

Feb 12 14:11:14.326: AAA/ACCT/CMD(000000B9): Pick method list 'default'

Feb 12 14:11:14.326: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83E2FF8C, Name default

Feb 12 14:11:14.330: Getting session id for CMD(000000B9) : db=846968EC

Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): add, count 3

Feb 12 14:11:14.330: AAA/ACCT/EVENT/(000000B9): COMMAND

Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 1

Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): free_rec, count 2

Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Setting session id 285 : db=846968EC

Feb 12 14:11:14.330: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)

Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Pick method list 'default'

Feb 12 14:11:16.642: AAA/ACCT/SETMLIST(000000BA): Handle 0, mlist 83E2FEEC, Name default

Feb 12 14:11:16.642: Getting session id for EXEC(000000BA) : db=83E3E3B0

Feb 12 14:11:16.642: AAA/ACCT(000000BA): add common node to avl failed

Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): add, count 2

Feb 12 14:11:16.642: AAA/ACCT/EVENT/(000000BA): EXEC DOWN

Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Accounting record not sent

Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): free_rec, count 1

Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA) reccnt 1, csr FALSE, osr 0

Feb 12 14:11:18.425: AAA/AUTHOR: config command authorization not enabled

Feb 12 14:11:18.425: AAA/ACCT/243(000000B9): Pick method list 'default'

Feb 12 14:11:18.425: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83144FF8, Name default

Feb 12 14:11:18.425: Getting session id for CMD(000000B9) : db=846968EC

Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): add, count 3

Feb 12 14:11:18.425: AAA/ACCT/EVENT/(000000B9): COMMAND

Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 2

Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): free_rec, count 2

Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Setting session id 286 : db=846968EC

Feb 12 14:11:18.429: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)

Feb 12 14:11:18.649: AAA/ACCT/EVENT/(000000BA): CALL STOP

Feb 12 14:11:18.649: AAA/ACCT/CALL STOP(000000BA): Sending stop requests

Feb 12 14:11:18.649: AAA/ACCT(000000BA): Send all stops

Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): STOP

Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Method list not found

Feb 12 14:11:18.649: AAA/ACCT(000000BA): del node, session 284

Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): free_rec, count 0

Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA) reccnt 0, csr TRUE, osr 0

Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Last rec in db, intf not enqueued

New Member

Re: TACACS not working - Need help

aaa authentication login default group tacacs1 line

aaa authentication login no_tacacs line

aaa authorization exec default group tacacs1 if-authenticated

aaa authorization commands 0 default group tacacs1 if-authenticated

aaa authorization commands 1 default group tacacs1 if-authenticated

aaa authorization commands 15 default group tacacs1 if-authenticated

aaa accounting exec default start-stop group tacacs1

aaa accounting commands 0 default start-stop group tacacs1

aaa accounting commands 1 default start-stop group tacacs1

aaa accounting commands 15 default start-stop group tacacs1

aaa accounting network default start-stop group tacacs1

ip tacacs source-interface VLAN1

aaa group server tacacs+ tacacs1

server-private 10.10.10.4 key ############

ip vrf forwarding LAN

ip tacacs source-interface VLAN1

Remove the config below:

tacacs-server host X.X.X.X

tacacs-server host 10.10.10.4

tacacs-server key 7 ####################333

tacacs-server administration

1052
Views
0
Helpful
5
Replies
CreatePlease to create content