Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
9
Replies

Tacacs server configuration problem

ArsenLiliyev
Level 1
Level 1

‎03-28-2024 12:33 AM - edited ‎03-28-2024 01:13 AM

Greeting everyone! There is a little problem with configuring tacacs server on ws-2950-24 model switch. The rest switches we have are 2960 series, also 3xxx series and others, more modern versions. We always configured tacacs server this way:

tacacs-server host 10.x.x.x
tacacs-server key 7 xxxxx    (might be summed on one command, depends on switch)

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

Tacacs begins to work after authorization commands and rest 4 commands you should write after reconnecting to the switch, already by tacacs. In case with 2950, switch takes all commands, but tacacs doesn't work. Does anybody know, may be this switch need to some additional commands or its tacacs configuring different way?

Labels:
0 Helpful
9 Replies 9

MHM Cisco World
VIP
VIP

‎03-28-2024 01:04 AM

Can you more elaborate 

MHM

0 Helpful

ArsenLiliyev
Level 1
Level 1
In response to MHM Cisco World

‎03-28-2024 01:15 AM

For example   -   ws-2960 switch, I configure tacacs by writing this commands: 

tacacs-server host 10.x.x.x
tacacs-server key 7 xxxxxx    (might be summed on one command, depends on switch)

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none

then CLY is throws out, and I reconnect already but tacacs (before I was connected by local username by telnet/ssh)

,and then wrote rest command:

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+.  

( I just explain how I configure tacacs every time on al swithces)

 In case of 2950 it doesn't work same, and it doesn't work at all. Switch accept all commands, doesn't deny any of them, but tacacs don't work. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to ArsenLiliyev

‎03-28-2024 01:43 AM

Show aaa server <- share this 

MHM

0 Helpful

ArsenLiliyev
Level 1
Level 1

‎03-28-2024 03:31 AM

Somewhy I couldn't upload shot to show, then I write it. Switch doesn't recognize this command. There is no command beginning by aaa word. Here: 

QAPI1#show aaa ?
% Unrecognized command
QAPI1#show aaa


QAPI1#show ?
access-lists List access lists
accounting Accounting data for active sessions
aliases Display alias commands
arp ARP table
boot show boot attributes
buffers Buffer pool statistics
cdp CDP information
clock Display the system clock
cluster

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to ArsenLiliyev

‎03-28-2024 03:43 AM

These commands is not all' 

Let start with auth 

-did you access using local user or user in server ?

-if you use local user what previllige you config for this user 

-if use server what is previllige you set in server

MHM

0 Helpful

ArsenLiliyev
Level 1
Level 1

‎03-28-2024 03:56 AM

I just wrote command "username admin privilege 15 secret 5 CryptedPassword "  , that's it. And wrote login local in line vty configuration. Then it is local user and privilege level is 15. I connected to the switch by this login and password via telnet.

0 Helpful

Richard Pidcock
Level 1
Level 1

‎03-28-2024 05:52 AM

Have you tried defining you tacacs servers as follows:

aaa group server tacacs+ NAME
 server-private x.x.x.x key *****************
 server-private y.y.y.y key ******************
 ip tacacs source-interface Gix/x
!
aaa authentication login default group NAME local

Richard W. Pidcock
0 Helpful

ArsenLiliyev
Level 1
Level 1
In response to Richard Pidcock

‎03-28-2024 06:28 AM

Doesn't work aslo:

I1(config)#aaa gr
QAPI1(config)#aaa group se
QAPI1(config)#aaa group server ta
QAPI1(config)#aaa group server tacacs+ ABCD
QAPI1(config-sg-tacacs+)#ser
QAPI1(config-sg-tacacs+)#server-p
QAPI1(config-sg-tacacs+)#server-pr
QAPI1(config-sg-tacacs+)#server pr
QAPI1(config-sg-tacacs+)#server ?
Hostname or A.B.C.D IP address of TACACS server
<cr>

QAPI1(config-sg-tacacs+)#server 10.14.14.9 ke
QAPI1(config-sg-tacacs+)#server 10.14.14.9 ?
<cr>

QAPI1(config-sg-tacacs+)#server 10.14.14.9
QAPI1(config-sg-tacacs+)#k
QAPI1(config-sg-tacacs+)#?

Ddoesn't recognize commands

0 Helpful

MHM Cisco World
VIP
VIP
In response to ArsenLiliyev

‎03-28-2024 07:08 AM

You have two user admin in server and admin in local DB' 

You access using admin in server this give you privilege (I dont know what will be) and hence some command is missing' 

Try disconnect server from SW' access again and do show run 

Check login under vty and console and command appear to you.

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card