07-22-2017 07:09 PM - edited 03-11-2019 12:52 AM
Hi Friends
I am lockout of TACACS authentication and encountered below error messages.
I simulated and recreated the issue and find the 1 statements below are causing this issue.
Switch(config)#aaa authorization console
Switch(config)#end
Please find attached logs.
My customer has no allowance for Switch Reboot now , is there any way i can remedy this issue with no reboot ?
This hardware is a C4507
Error message
------------------------------------------------
Switch con0 is now available
Press RETURN to get started.
% Authorization failed.
Switch con0 is now available
Press RETURN to get started.
% Authorization failed.
Switch con0 is now available
Press RETURN to get started.
% Authorization failed.
------------------------------------------------
07-22-2017 09:10 PM
If you can block the switch IP address from the ability to reach the TACACS servers at some point upstream (like via an ACL or otherwise blocking the path), the switch will know it cannot reach them and, after 3 tries on each server, fall back to local authentication and authorization.
07-23-2017 01:43 AM
07-23-2017 03:21 AM
Is it correct that you have not created a VLAN interface (SVI) on the switch?
If that's true, then even disconnecting the TACACS server won't remedy the failure to authorize as the AAA configuration is invalid and there no default method configured for fallback
A reload will be required.
07-23-2017 03:32 AM
The management VLAN interface (SVI) on the switch is set to admin down .
Reload will be very costly to the customer and it is not an option for them.
Thank you Marvin , i will check with Cisco TAC for alternatives
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide