Solved: TACACS - 9300 switch GUI

craiglebutt · ‎04-21-2023

Hi

I've added a 9300 switch on to ISE and and using the Gui which is working.

My question is I can see a lot of entries being logged on tacacs for authtication, seem to keep login while on the switch, is this normal?

aaa new-model
!
!
aaa group server tacacs+ ISE_Group
server name
server name
server name
!
aaa authentication fail-message ^CCCCCCC_______Failed login in via ISE. Try again.^C
aaa authentication login default group ISE_Group local
aaa authentication enable default group ISE_Group enable
aaa authentication login GUILogin group ISE_Group local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ISE_Group local
aaa authorization commands 0 default group ISE_Group local
aaa authorization commands 1 default group ISE_Group local
aaa authorization commands 15 default group ISE_Group local
aaa accounting exec default start-stop group ISE_Group
aaa accounting commands 0 default start-stop group ISE_Group
aaa accounting commands 1 default start-stop group ISE_Group
aaa accounting commands 15 default start-stop group ISE_Group
aaa accounting connection default start-stop group ISE_Group
!
aaa session-id common

Rob Ingram · ‎04-21-2023

@craiglebutt authentication or authorisation? You should see an authorisation entry in the TACACS live logs for each command being run on the switch, which is authorised on ISE.

View solution in original post

Rob Ingram · ‎04-21-2023

@craiglebutt authentication or authorisation? You should see an authorisation entry in the TACACS live logs for each command being run on the switch, which is authorised on ISE.

MHM Cisco World · ‎04-21-2023

you run HTTP in SW, this is why ? you must disable the HTTP