04-05-2007 01:15 PM - edited 03-03-2019 04:26 PM
Everytime I enter the following AAA commands my switch locks up.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default stop-only group tacacs+
aaa session-id common
Solved! Go to Solution.
04-05-2007 01:27 PM
you current session may indeed lock up if you were logged in via local account that doesn't have entry in TACACS or just via line password. Enable first only authentication via TACACS, then relogin using TACACS account, then add authorization.
04-05-2007 01:19 PM
Do you have the tacas server set up and responding? I don't see anything in the config displaying the Tacacs server information.
As soon as you paste the config in, you can no longer enter commands without the tacacs server permitting you to do so.
04-05-2007 01:21 PM
Yes the TACACS server is up and running. I just did the same commands to my router and had no issues.
04-05-2007 01:26 PM
is the tacacs-server host x.x.x.x
anywhere on the switch?
04-05-2007 01:31 PM
04-05-2007 01:27 PM
you current session may indeed lock up if you were logged in via local account that doesn't have entry in TACACS or just via line password. Enable first only authentication via TACACS, then relogin using TACACS account, then add authorization.
04-05-2007 01:46 PM
please see my switch config I posted
04-05-2007 01:50 PM
Do you have any other switches you can try the config on?
04-06-2007 07:31 AM
'tacacs-server directed-request' is generally considered to be security risk and you shouldn't include it unless really necessary. Otherwise your config looks fine. Just apply AAA config in the sequence I mentioned and enable authentication also on the console.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: