Solved: Re: Enabling TACACS access onle

saleh.alsalamah · ‎05-27-2018

Hi

We are trying to make Managements access authentication method via TACACS only , and local username as standby option if the switch fail to reach TACACS server , but we can see local username method is working even when TACACS server is available and working fine . Kindly find the below configuration commands

switch PID: WS-C3850-24P

Version: 03.03.03SE

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

tacacs-server host 10.1.80.61 key aruba123
radius-server host 10.1.80.61 key aruba123
!
!
!
!
line con 0
authorization commands 15 quadmin
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input all
line vty 5 15

COMP-GF-C02-AS2#show tacacs

Tacacs+ Server - public :
Server address: 10.1.80.61
Server port: 49
Socket opens: 105
Socket closes: 105
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 133
Total Packets Recv: 133

saleh.alsalamah · ‎05-27-2018

Applied but Still not solving the issue , and can't see the command in the running-config !

COMP-GF-C02-AS2(config)#li
COMP-GF-C02-AS2(config)#line vty 0 4
COMP-GF-C02-AS2(config-line)#login auth
COMP-GF-C02-AS2(config-line)#login authentication def
COMP-GF-C02-AS2(config-line)#login authentication default
COMP-GF-C02-AS2(config-line)#do sh run | b line vty 0 4
line vty 0 4
transport input all
line vty 5 15
!

View solution in original post

GRANT3779 · ‎05-27-2018

I see actually you are using default method list so that will be used without the command having to be added. This is why it most likely doesn't show.

I would remove the following from the vty line

authorization commands 15 quadmin

View solution in original post

Georg Pauwen · ‎05-27-2018

Hello,

your vty lines are missing some things:

line vty 0 4
exec-timeout 15 0
password cisco
authorization exec default
accounting exec default
login authentication default
transport input all

View solution in original post

GRANT3779 · ‎05-27-2018

Under the vty lines you can add

Login authentication default

saleh.alsalamah · ‎05-27-2018

Applied but Still not solving the issue , and can't see the command in the running-config !

COMP-GF-C02-AS2(config)#li
COMP-GF-C02-AS2(config)#line vty 0 4
COMP-GF-C02-AS2(config-line)#login auth
COMP-GF-C02-AS2(config-line)#login authentication def
COMP-GF-C02-AS2(config-line)#login authentication default
COMP-GF-C02-AS2(config-line)#do sh run | b line vty 0 4
line vty 0 4
transport input all
line vty 5 15
!

GRANT3779 · ‎05-27-2018

I see actually you are using default method list so that will be used without the command having to be added. This is why it most likely doesn't show.

I would remove the following from the vty line

authorization commands 15 quadmin

GRANT3779 · ‎05-27-2018

Have you run the test aaa group tacacs+ command to see what you get back?
May also be worth running aaa and tacacs debugs during a login attempt.

Georg Pauwen · ‎05-27-2018

Hello,

your vty lines are missing some things:

line vty 0 4
exec-timeout 15 0
password cisco
authorization exec default
accounting exec default
login authentication default
transport input all

saleh.alsalamah · ‎05-27-2018

Thanks Everyone for your support, the configuration was correct and there was issue with TACACS server, and now its working fine.