We have deployed Secure ACSv4.1 and made the required configuration change on the switches. All Access layer switches work perfect but the Distribution and Core swtcihes (4506 and 4507) are not being authenticated using the ACS.
the configuration i made on the switches is :
1. Configure AAA Authentication
1. Create Local Administrative Accounts
2. Specify one or more TACACS+ servers.
3. Specify the TACACS+ key.
4. Specify the TACACS+ timeout interval. (Def= 5sec)
5. Configure Authentication option
# aaa new-model
# aaa authentication login default group tacacs+ local
# aaa authentication enable default group tacacs+ line
2. Configure AAA Accounting
# aaa accounting system default start-stop group tacacs+
# aaa accounting exec default start-stop group tacacs+
# aaa accounting commands 0 default start-stop group tacacs+
# aaa accounting commands 15 default start-stop group tacacs+
# aaa accounting network default start-stop group tacacs+
do i need additional configuration on 4506/4507 switches ?
Did you check your ACS logs? On devices with multiple interfaces, its useful to source TACACS from a loopback for consistency and ease of management.
Router(config)# ip tacacs source loopback0
I also assume you have the correct login method under your VTYs.
Hope that helps.
Thank you very much, yes i tried to look in to the logs but couldn't see any......
i now tried putting
conf t # ip tacacs source-interface Loopback0
but it is the same thing.......
what else shall i check?
Thank you so much!
I believe the TACACS server is not able to communicate with the switch IP.
Are you able to ping the TACACs server from the switch ?
The tacacs source interface should be the interface via which the server is reachable.
And also put this interface IP while configuring the AAA client on the TACACS server.
Thanks for the quick reply!
yes TACACS server can be reached from the switch. and show tacacs displays
Socket opens: 96
Socket closes: 96
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 3
Total Packets Sent: 96
Total Packets Recv: 0
am using the same TACACS server for all the switches and don't have any problem with the access layer switches. on the distribution and core switches that i am facing problem now, can be reached using diffrent IP addresses configured to be accessed from diffent VLAN segments.. Will that cause a problem?
there is no entry regarding the swiches in the failed attempt. i see failed attempts about the other Access layer switches.
BTW, these are Distribution and Core switches having more than one interface IP.
Thank You again!
OK, on the switch try this-
Router(config)# ip tacacs source interface vlan 1
You can remove the loopback command I asked you to enter earlier. Let us know what happens!
Router(config)#no ip tacacs source loopback0
Thank You Again,
i did make the change on two set of switches which are HSRP configured, on both pair, it works only on one switch. that is from HSRP configured set only one switch is being authenticated by the ACS. what additional change do i need to make?
BY the Way,
what i tested on another switch is i entered all interface IP on the ACS and it is working but on these two distribution switches i do have more than 30 interfaces which is difficult to manually enter on the ACS.
Thank You again and regards,
You need to source TACACS from an interface. Best practices is from a loopback, because it's always up and reachable. You then enter the loopback address in ACS. If you do that, you can access your distro and core switches.
Thank You for time Collin,
the problem in our case is we have not assigned IP to the loopback. IP is assigned to the interface VLANs which on Distribution switches are a lot.
the odd thing that i noticed is that, i applied the configuration you recommended, " ip tacacs source-interface Vlan1", on two redundant switches using HSRP(i.e. four switches),of which one switch from each pair is being successfully authenticated by ACS. the other two with same configuration still have problem authenticating through the ACS.
What do you say, is my only option to enter the list of interface VLAN IPs that is more than 30 on the ACS ?
Thank You again and Regards,
If you source from VLAN 1 and you have three address (one on each switch and the virtual), put all three in ACS. In the long run it will be easier to design and deploy a management network utilizing loopbacks.
Yes i have put all the three addresses on the ACS , but one switch authenticates through the ACS the other doesn't. even the virtual address doesn't authenticate through ACS.
Thanks for your time Collin,
yes i set it to source interface VLAN1.
on two switches configured with HSRP, i entered the IP address of both switches as well as virtual IP, one of the switch is being authenticated by ACS and the other is not. both have same configuration.
Thank you and Regards,
Thank You Guys for all your time and support, it all works now!
i configured it with source-Interface VLAN1 on the distribution switches as IP is not assigned to interface loopback, for the others,i entered all interface IPs on the ACS!
Thank You again and Regards,