The management VLAN interface

jacobxu80 · ‎07-22-2017

Hi Friends

I am lockout of TACACS authentication and encountered below error messages.

I simulated and recreated the issue and find the 1 statements below are causing this issue.

Switch(config)#aaa authorization console
Switch(config)#end

Please find attached logs.

My customer has no allowance for Switch Reboot now , is there any way i can remedy this issue with no reboot ?

This hardware is a C4507

Error message

------------------------------------------------
Switch con0 is now available

Press RETURN to get started.

% Authorization failed.

Switch con0 is now available

Press RETURN to get started.

% Authorization failed.

Switch con0 is now available

Press RETURN to get started.

% Authorization failed.

------------------------------------------------

Marvin Rhoads · ‎07-22-2017

If you can block the switch IP address from the ability to reach the TACACS servers at some point upstream (like via an ACL or otherwise blocking the path), the switch will know it cannot reach them and, after 3 tries on each server, fall back to local authentication and authorization.

jacobxu80 · ‎07-23-2017

Hi Marvin

Thank you , but there is no layer 3 interfaces on the Switch.

I further isolated that this TACACS lockout is caused by the combination of this 2 statements .

aaa authorization console

aaa authorization exec default group tacacs+ none

Marvin Rhoads · ‎07-23-2017

Is it correct that you have not created a VLAN interface (SVI) on the switch?

If that's true, then even disconnecting the TACACS server won't remedy the failure to authorize as the AAA configuration is invalid and there no default method configured for fallback

A reload will be required.

jacobxu80 · ‎07-23-2017

The management VLAN interface (SVI) on the switch is set to admin down .

Reload will be very costly to the customer and it is not an option for them.

Thank you Marvin , i will check with Cisco TAC for alternatives

TACACS Lockout ! Require remedy with no reboot