05-27-2018 02:22 AM - edited 03-05-2019 10:30 AM
Hi
We are trying to make Managements access authentication method via TACACS only , and local username as standby option if the switch fail to reach TACACS server , but we can see local username method is working even when TACACS server is available and working fine . Kindly find the below configuration commands
switch PID: WS-C3850-24P
Version: 03.03.03SE
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
tacacs-server host 10.1.80.61 key aruba123
radius-server host 10.1.80.61 key aruba123
!
!
!
!
line con 0
authorization commands 15 quadmin
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input all
line vty 5 15
COMP-GF-C02-AS2#show tacacs
Tacacs+ Server - public :
Server address: 10.1.80.61
Server port: 49
Socket opens: 105
Socket closes: 105
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 133
Total Packets Recv: 133
Solved! Go to Solution.
05-27-2018 02:57 AM
Applied but Still not solving the issue , and can't see the command in the running-config !
COMP-GF-C02-AS2(config)#li
COMP-GF-C02-AS2(config)#line vty 0 4
COMP-GF-C02-AS2(config-line)#login auth
COMP-GF-C02-AS2(config-line)#login authentication def
COMP-GF-C02-AS2(config-line)#login authentication default
COMP-GF-C02-AS2(config-line)#do sh run | b line vty 0 4
line vty 0 4
transport input all
line vty 5 15
!
05-27-2018 03:05 AM
I see actually you are using default method list so that will be used without the command having to be added. This is why it most likely doesn't show.
I would remove the following from the vty line
authorization commands 15 quadmin
05-27-2018 03:22 AM
Hello,
your vty lines are missing some things:
line vty 0 4
exec-timeout 15 0
password cisco
authorization exec default
accounting exec default
login authentication default
transport input all
05-27-2018 02:50 AM
Under the vty lines you can add
Login authentication default
05-27-2018 02:57 AM
Applied but Still not solving the issue , and can't see the command in the running-config !
COMP-GF-C02-AS2(config)#li
COMP-GF-C02-AS2(config)#line vty 0 4
COMP-GF-C02-AS2(config-line)#login auth
COMP-GF-C02-AS2(config-line)#login authentication def
COMP-GF-C02-AS2(config-line)#login authentication default
COMP-GF-C02-AS2(config-line)#do sh run | b line vty 0 4
line vty 0 4
transport input all
line vty 5 15
!
05-27-2018 03:05 AM
I see actually you are using default method list so that will be used without the command having to be added. This is why it most likely doesn't show.
I would remove the following from the vty line
authorization commands 15 quadmin
05-27-2018 03:14 AM
05-27-2018 03:22 AM
Hello,
your vty lines are missing some things:
line vty 0 4
exec-timeout 15 0
password cisco
authorization exec default
accounting exec default
login authentication default
transport input all
05-27-2018 03:58 AM
Thanks Everyone for your support, the configuration was correct and there was issue with TACACS server, and now its working fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide