cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
947
Views
0
Helpful
8
Replies

Tacacs Issue

kannan.kannan
Level 1
Level 1


Hello,

When are running bellow TACACS config on one of our CISCO 2911 switch.

We got a issue when ACS to AD connectivity failed on ACS unable to login with our local account

When tacacs usre down unable to login with our local account.

FYI, Please find the below config.

aaa new-model
!
!

aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
!
!
!
!
!
aaa session-id common

tacacs-server host xx.xx.xx.xx

tacacs-server host xx.xx.xx.xx

tacacs-server timeout 2

tacacs-server directed-request no-truncate

tacacs-server key 7 xxxxxxxxxxxxxxxx

tacacs-server host xx.xx.xx.xx
tacacs-server host xx.xx.xx.xx
tacacs-server timeout 2
tacacs-server directed-request no-truncate
tacacs-server key 7 xxxxxxxxxxxxxxxx

=====================

!
line con 0
password 7 097C6E1A0A1247000F16
line aux 0
line 0/0/0 0/3/15
session-timeout 15
access-class 98 in
no exec
transport preferred telnet
transport input telnet
telnet transparent
line vty 0 4
access-class 23 in
privilege level 15
password 7 01232617481C561D2556
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
password 7 0236244818115F334854
transport input ssh
!

==========================================

Thanks

Kannan

8 Replies 8

Karthick Murugan
Cisco Employee
Cisco Employee

Hi Kanana,

The configuration looks ok for me. However, can you clarify the following.

1) ACS down -->does it mean the service was down or the physical device itself was down?

TACACS wont' fallback to local until the reachability to the server goes down. I could see transport input is configured as SSH. Incase of TACACS fallback, the local credential should have a username and password because unlike TELNET which works only with password SSH doesn't work.

Thanks & Regards,

Karthick Murugan

CCIE#39285

Thanks & Regards, Karthick Murugan CCIE#39285

Thanks Karthick,

The ACS is not physically down, We can see ACS to AD connectivity disconnected.

At this time of now we unable to login with our'a' account(I mean Tacacs account).

In the same LAN we are running Nexus devices(5K and 7K switches).

We can able to login with local account to all of the our Nexus devices only got issue with some devices(Cisco 2911 and CISCO ASR 1002)

Kannan    

Hi Kanana,

Do you have the old back configuration? can you provide the entire configuration?

Regards,

Karthick Murugan

CCIE#39285

Thanks & Regards, Karthick Murugan CCIE#39285

Hi Karthick,

The below config part of other device CISCO 1002, we have a issue this device as well.

Note :  For security reason removed some part of interface config.

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family

!
aaa new-model
!
!
aaa group server tacacs+ ACS
server xxxxxxxx
server xxxxxxxx
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
!
aaa authentication login default group ACS local
aaa authentication login console group ACS local
aaa authorization console
aaa authorization exec default group ACS local
aaa authorization exec console if-authenticated
aaa authorization commands 1 default group ACS local
aaa authorization commands 15 default group ACS local
!
!
!
!
!
aaa session-id common
ip source-route
!
!
!
no ip domain lookup
ip domain name li.apac
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
username xxxxxxx privilege 15 password 7 03005E19160B245E5E
username xxxxxxx privilege 15 password 7 1159415D4214095E572F7E
username xxxxxxx privilege 15 password 7 023E077B07041D791C

!

!
ip forward-protocol nd
!
no ip http server
no ip http secure-server

!
logging host xxxxxxx vrf Mgmt-intf
access-list 12 permit xxxxxx
access-list 12 permit xxxxxx
access-list 12 permit xxxxxx
access-list 12 permit xxxxxx
cdp run
!
!
tacacs-server host xxxxxxkey 7 xxxxxx
tacacs-server host xxxxxxkey 7 xxxxxx
tacacs-server directed-request
!
!
control-plane
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 03347B181518715E4A13
  transport input ssh
line vty 5 15
transport input ssh
!
end

Kanna

Hi karthick,

When we remove the device list from ACS server, It's working fine with local account.

Kannan    

mahmoodmkl
Level 7
Level 7

Hi,

Can you add login under the vty lines and check.

Thanks

Hi Kannan,

I tried to recreate the scenario in my lab device with exact same configuration and it worked fine without any issues.

So, I still believe the switch finds the TACACS server reachable.

Do you have option to console into the switch and check the output of "show tcp brief" and ping to the TACACS server.

Thanks

Karthick Murugan

Thanks & Regards, Karthick Murugan CCIE#39285

kannan.kannan
Level 1
Level 1

Hi Karthick,

We have only remote login access,Still, The ACS - AD is disconnected.

We can able to login only Nexus switches with our Local account other devices like I mentioned ASR, 2911, 3750 switches not abloe to login with local account.

If problem means it could be happend with all the switches but some devices only having issue     

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: