Prime 1.4 - no aaa authentication tacacs+ server

Anybody know the equivalent command "no aaa authentication tacacs+ server" on PI 1.4. I saw this command on PI 2.2 but I can´t find something similar on 1.4.
Thanks in advanced.

Check the following Command line manual for PI 1.4
http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/1-4/command/reference/cli14.html
Apart from that I found this ,let me know if it helps.
Select a command
    Add TACACS+ Server—See the “Add TACACS+ Server” section.
    Delete TACACS+ Server—Select a server or servers to be deleted, select this command, and click Go to delete the server(s) from the database.
Add TACACS+ Server
Choose Administration > AAA > TACACS+ from the left sidebar menu to access this page. From the Select a command drop-down list choose Add TACACS+ Server , and click Go to access this page.
This page allows you to add a new TACACS+ server to Prime Infrastructure.
    Server Address—IP address of the TACACS+ server being added.
    Port—Controller port.
    Shared Secret Format—ASCII or Hex.
    Shared Secret—The shared secret that acts as a password to log in to the TACACS+ server.
    Confirm Shared Secret—Reenter TACACS+ server shared secret.
    Retransmit Timeout—Specify retransmission timeout value for a TACACS+ authentication request.
    Retries—Number of retries allowed for authentication request. You can specify a value between 1 and 9.
    Authentication Type—Two authentication protocols are provided. Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).
Command Buttons
    Submit
    Cancel
Note • Enable the TACACS+ server with the AAA Mode Settings. See the “Configuring AAA Mode” section.
    You can add only three servers at a time in Prime Infrastructure.

Similar Messages

Aaa authentication tacacs+

Does anyone know what this ACS 5.4 cli config command is for, "aaa authentication tacacs+......".
It cannot be found in the cli reference guid.
b.r.
Thomas

admin# show version
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.3.061
ADE-OS System Architecture: i386
Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: name
Version information of installed applications
Cisco ACS VERSION INFORMATION
Version : 5.4.0.46.2
Internal Build ID : B.221
Patches :
5-4-0-46-1
5-4-0-46-2

PIX AAA To tacacs server not reliable

I've got a couple of different platforms of PIX, 535s and FWSMs mainly all running the latest code. I have them all configured similarly with regards to AAA via tacacs:
aaa-server TACACS protocol tacacs+
aaa-server TACACS host <Removed> key <removed>
username <removed> password <removed> encrypted privilege 15
aaa authentication enable console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa accounting command TACACS
Now, sometimes I can get in with my tacacs account but other times I have to use the local backup account. There seems to be no reason behind it. My routers all pointing to the same TACACS server have no issues like this. The PIX's however are totally unreliable in this regard.
Anyone experiencing this?

Hello mlipsey,
This shouldn't be. Do the ACS logs reveal anything? What about
debug tacacs
debug aaa authentication
Can you send 1000 pings to the tacacs server from your FWs without issue? Any packet loss?
Hope this helps! If so, please rate.
Thanks!

Acs 4.2 :- router# test aaa group tacacs+ uid pwd .... works but not when authenticating

I have setup ACS 4.2 and when I run
router# test aaa group tacacs+ myuser mypasswd [ legacy | new-code]
Both options work fine
But when I try and login, over telnet, the request reaches the aaa server, but returns fail !
My commands are :-
tacacs-server host xx.xx.xx.xx single-connection port 49
tacacs-server key xxxxxxxxxxx
aaa authentication banner ^CUnauthorized access forbidden^C
aaa authentication username-prompt "Enter Username: "
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
I dont see the banner NOR the "Enter Username:" prompt.
Also a debug aaa authentication and debug aaa subsys show that the request reaches AAA, but it simply returns fail
I had the same issue in 5.1, but that was due to the tacacs+ single-connection not being set or something similar, and the error
there was "shared secret does not match", on the AAA server logs
I am still new to 4.2, so am still trying to determine where the log files are etc, but since it works with the test command, I cant
seem to understand why it fails with telnet
Any idea why this may be happning ?
Thanks

I tried both the sugestion.. no luck
Below are th eoutput of debug, with some lines in BOLD to help you
find interesting lines in the log output.
Thanks
fixeddemo#sh run | inc tacacs
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
ip tacacs source-interface FastEthernet0/1
tacacs-server host 10.1.7.15
tacacs-server key xxxxxxxxxx
fixeddemo#sh debugging
General OS:
TACACS+ events debugging is on
TACACS+ authentication debugging is on
TACACS+ packets debugging is on
AAA Authentication debugging is on
AAA Subsystem debugs debugging is on
fixeddemo#
Jun 17 14:15:54.666: AAA/BIND(00000072): Bind i/f
Jun 17 14:15:54.666: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
Jun 17 14:15:54.666: AAA SRV(00000072): process authen req
Jun 17 14:15:54.670: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:15:54.670: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:15:54.670: TPLUS: processing authentication start request id 114
Jun 17 14:15:54.670: TPLUS: Authentication start packet created for 114()
Jun 17 14:15:54.670: TPLUS: Using server 10.1.7.15
Jun 17 14:15:54.670: TPLUS(00000072)/0/NB_WAIT/45585278: Started 5 sec timeout
Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: socket event 2
Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 24 (0x18)
Jun 17 14:15:54.674: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Jun 17 14:15:54.674: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
) data_len:0
Jun 17 14:15:54.674: T+: user:
Jun 17 14:15:54.674: T+: port: tty515
Jun 17 14:15:54.674: T+: rem_addr: 10.1.1.216
Jun 17 14:15:54.674: T+: data:
Jun 17 14:15:54.674: T+: End Packet
Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: Would block while reading
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
16 bytes data)
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 28 bytes response
Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
Jun 17 14:15:54.674: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
fixeddemo#
Jun 17 14:15:54.674: T+: msg: Username:
Jun 17 14:15:54.674: T+: data:
Jun 17 14:15:54.678: T+: End Packet
Jun 17 14:15:54.678: TPLUS(00000072)/0/45585278: Processing the reply packet
Jun 17 14:15:54.678: TPLUS: Received authen response status GET_USER (7)
Jun 17 14:15:54.678: AAA SRV(00000072): protocol reply GET_USER for Authenticati
on
Jun 17 14:15:54.678: AAA SRV(00000072): Return Authentication status=GET_USER
fixeddemo#
Jun 17 14:15:58.794: AAA SRV(00000072): process authen req
Jun 17 14:15:58.794: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:15:58.794: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:15:58.794: TPLUS: processing authentication continue request id 114
Jun 17 14:15:58.794: TPLUS: Authentication continue packet generated for 114
Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
Jun 17 14:15:58.794: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Jun 17 14:15:58.794: T+: session_id 3123693045 (0xBA2FC5F5), dlen 10 (0xA)
Jun 17 14:15:58.794: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0) flags:0x0
Jun 17 14:15:58.794: T+: User msg:
Jun 17 14:15:58.794: T+: User data:
Jun 17 14:15:58.794: T+: End Packet
Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE: wrote entire 22 bytes request
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
16 bytes data)
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 28 bytes response
Jun 17 14:15:58.798: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Jun 17 14:15:58.798: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
fixeddemo#
Jun 17 14:15:58.798: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Jun 17 14:15:58.798: T+: msg: Password:
Jun 17 14:15:58.798: T+: data:
Jun 17 14:15:58.798: T+: End Packet
Jun 17 14:15:58.798: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:15:58.798: TPLUS: Received authen response status GET_PASSWORD (8)
Jun 17 14:15:58.798: AAA SRV(00000072): protocol reply GET_PASSWORD for Authenti
cation
Jun 17 14:15:58.798: AAA SRV(00000072): Return Authentication status=GET_PASSWOR
D
fixeddemo#
Jun 17 14:16:02.502: AAA SRV(00000072): process authen req
Jun 17 14:16:02.502: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:16:02.502: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:16:02.502: TPLUS: processing authentication continue request id 114
Jun 17 14:16:02.502: TPLUS: Authentication continue packet generated for 114
Jun 17 14:16:02.502: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
Jun 17 14:16:02.502: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
Jun 17 14:16:02.502: T+: session_id 3123693045 (0xBA2FC5F5), dlen 14 (0xE)
Jun 17 14:16:02.502: T+: AUTHEN/CONT msg_len:9 (0x9), data_len:0 (0x0) flags:0x0
Jun 17 14:16:02.502: T+: User msg:
Jun 17 14:16:02.502: T+: User data:
Jun 17 14:16:02.502: T+: End Packet
Jun 17 14:16:02.506: TPLUS(00000072)/0/WRITE: wrote entire 26 bytes request
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
6 bytes data)
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 18 bytes response
Jun 17 14:16:02.550: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
Jun 17 14:16:02.554: T+: session_id 3123693045 (0xBA2FC5F5), dlen 6 (0x6)
fixeddemo#
Jun 17 14:16:02.554: T+: AUTHEN/REPLY status:2 flags:0x0 msg_len:0, data_len:0
Jun 17 14:16:02.554: T+: msg:
Jun 17 14:16:02.554: T+: data:
Jun 17 14:16:02.554: T+: End Packet
Jun 17 14:16:02.554: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:16:02.554: TPLUS: Received authen response status FAIL (3)
Jun 17 14:16:02.554: AAA SRV(00000072): protocol reply FAIL for Authentication
Jun 17 14:16:02.554: AAA SRV(00000072): Return Authentication status=FAIL
fixeddemo#
[ The output below is for the next Username: prompt I believe]Jun 17 14:16:04.554: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
Jun 17 14:16:04.554: AAA SRV(00000072): process authen req
Jun 17 14:16:04.554: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:16:04.554: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:16:04.554: TPLUS: processing authentication start request id 114
Jun 17 14:16:04.554: TPLUS: Authentication start packet created for 114()
Jun 17 14:16:04.554: TPLUS: Using server 10.1.7.15
Jun 17 14:16:04.554: TPLUS(00000072)/0/NB_WAIT/47194394: Started 5 sec timeout
Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: socket event 2
Jun 17 14:16:04.558: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Jun 17 14:16:04.558: T+: session_id 2365877689 (0x8D046DB9), dlen 24 (0x18)
Jun 17 14:16:04.558: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Jun 17 14:16:04.558: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
) data_len:0
Jun 17 14:16:04.558: T+: user:
Jun 17 14:16:04.558: T+: port: tty515
Jun 17 14:16:04.558: T+: rem_addr: 10.1.1.216
Jun 17 14:16:04.558: T+: data:
Jun 17 14:16:04.558: T+: End Packet
Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: Would block while reading
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
43 bytes data)
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 55 bytes response
Jun 17 14:16:04.562: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Jun 17 14:16:04.562: T+: session_id 2365877689 (0x8D046DB9), dlen 43 (0x2B)
Jun 17 14:16:04.562: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
Jun 17 14:16:04.562: T+: msg: 0x0A User Access Verification 0x0A 0x0A Usernam
e:
fixeddemo#
Jun 17 14:16:04.562: T+: data:
Jun 17 14:16:04.562: T+: End Packet
Jun 17 14:16:04.562: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:16:04.562: TPLUS: Received authen response status GET_USER (7)
Jun 17 14:16:04.562: AAA SRV(00000072): protocol reply GET_USER for Authenticati
on
Jun 17 14:16:04.562: AAA SRV(00000072): Return Authentication status=GET_USER
fixeddemo#

PIX 525 aaa authentication with both tacacs and local

Hi,
I have configured the aaa authentication for the PIX with tacacs protocol (ACS Server).
It works fine, now i would like to add the back up authentication, as follows:
- If the ACS goes down i can to be authenticated with the local database.
Is it possible with PIX, if yes how?

Hi,
I am trying to configure aaa using TACACS+ , i am not able to close.Problems are
1.It dosent ask for username /password in first level.
2.on second level it asks for user name it dosent authenticate the user .
Cud u pls let me know if the following config is correct.If not cud u help me .
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
aaa authen enable console TACACS+

AAA Authentication & Accounting using Tacacs+ Commands order

In the cisco Remote Access Companion guide book page 394 we have got this configuration lines :
RTA(config)#tacacs-server host 192.168.0.11
RTA(config)#tacacs-server host 192.168.0.12
RTA(config)#tacacs-server key topsecret
RTA(config)#aaa new-model
RTA(config)#aaa authentication login default group tacacs+
If I want to add to the configuration above ,the command below :
RTA(config)#aaa accounting connection defult stop-start tacacs+
Is it necessary for the above lines to be in a specific order when I configure RTA ?

The first tacacs server listed will the first tacacs server queried. I would make may primary ACS the first listed. Everything else looks good.

Tacacs-server key working in some Cisco switches for AAA, but not in other switches???

Good day,
Has anyone experienced this before? I am using Cisco ACS 5.2. I have a very simple word (no, not cisco ) for my tacacs-server key. I've used the same key within the ACS and on two other Cisco switches, and AAA is working fine between the two switches; however, in setting up the key via the ACS and on a third Cisco switch and using PuTTY, I'm getting the error of "Access Denied. Using keyboard-interactive authentication."
I've re-entered the simple tacacs key multiple times within the ACS and on the switch making sure to not fat finger or misspell it.
I don't think there is a problem with the AAA setup I have within the switches as all of the AAA configs are the same on every switch we have.
Any other possible ideas anyone can suggest?
Cliffs:
-tacacs-server key is a simple key and is the same for every switch and within ACS
-AAA config is the same on every switch, so I do not believe it to be a AAA config issue
-Running config on switch that is not working is pretty much the same as the other two working switches
Any advice is greatly appreciated.
Thanks,
Y

Hi, and thank you for your reply back; however, when I got into the Authentication logs, I see nothing, like it's not even logging the failed attempts.

Aaa authentication enable default group tacacs+ enable

I am implementing CSACS 4.0. First on the client, I will apply aaa authenticatio/ authorization under vty. The issure if I use the followin command
aaa authentication enable default group tacacs+ enable
what will happen if I login via console? Will I be required to enter any username/password?
Below is my configuration
aaa new-model
aaa authentication login authvty group TACACS + local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 authvty TACACS+ local
TACACS-server host IP
Tacacs-server key key
Ip tacacs source-interface VLAN 3
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting exec authvty start-stop group tacacs+
aaa accounting commands 15 authvty start-stop group tacacs+
aaa accounting connection authvty start-stop group tacacs+
line vty 0 15
login authentication authvty
authorization commands 15 authvty
accounting connection authvty
accounting commands 15 authvty
accunting exec authvty
Any suggestion will be appreciated!

It should work because this is a message.banner prompt everytime you try to login (console/vty). I have it configured on my router.
If you have banner motd, it will be displayed as well (see below). So I ahve to remove it to get only the aaa banner & prompt being displayed:
*** Username: cisco, Password: cisco (priv 15f - local) ****
Unauthorized use is prohibited.
Enter your name here: user1
Enter your password now:
Router#
The config more or less looks like:
aaa new-model
aaa authentication banner ^CUnauthorized use is prohibited.^C
aaa authentication password-prompt "Enter your password now:"
aaa authentication username-prompt "Enter your name here:"
aaa authentication login default group radius
aaa authentication login CONSOLE local
HTH
AK

How to configure management authentication on IAP using Tacacs Server?

Requirement:
Instant access points come with default username and password i.e admin/admin. This does not go long way, as the IAP start finding their place in campus and corporate networks.
With many administrators managing and monitoring the clustered IAP networks, TACACS or Active Directory based authentication is more useful.
Solution:
Keep this in view, IAP development teams have integrated TACACS and Radius based management authentication.
Configuration:
Follow the below steps to configure radius authentication in IAP:
Login to IAP web interface
Select "System" from the main menu and then click on "Admin" tab
Under local authentication, select as "Authentication Server"
Under the "Auth Server 1" Select "New Server"
Filling the name, IP address and shared key for Tacacs server and click OK.
Verification
Logout of the IAP web interface and try logging in using the username and password on TACACS server.

I was having troubles with this as well when a customer had an older Aruba Controller and 2 Access Points. We went with a couple IAP-205s and needed LDAP integration. Using the above configuration there were some additional items needed. I found that I needed the DISPLAY NAME of the admin for the Admin-DN. I had created a user with the first name Aruba and the last name LDAP. This made the DISPLAY NAME "Aruba LDAP". This is what needs to be in the CN= for the Admin-DN.I also found there is a difference in using the CN= and OU=Currently our admin account is in the Users group which is a “Container”. Our actual user accounts are stored in an Orginizational Unit with sub OUs as well. So the Admin-DN needed the CN=Users and the Base-DN needed the OU=MyUserOU.For the windows machines I had to download and install the Aruba GTC Shim because the customer was previously using GTC and they were not going to a RADIUS server at the moment. My Android phone and IPHONE did not need any additional addins for the authentication. The windows laptop I am using I needed to manually create a wireless profile with… Security Tab >“Choose a network authentication method:”Microsoft: Protected EAP (PEAP)Settings >Select “Trusted Root Certification Authorities”GeoTrust Global CASelect Authentication Method:EAP-Token (This is the Aruba GTC Shim) This allowed me to use my domain login credentialsUsernamePasswordDomain (This is blank because the Base-DN already has this, if anything is put in here the authentication fails)

Cisco AAA authentication with windows radius server

Cisco - Windows Radius problems
I need to created a limited access group through radius that I can have new network analysts log into
and not be able to commit changes or get into global config.
Here are my current radius settings
aaa new-model
aaa group server radius IAS
server name something.corp
aaa authentication login USERS local group IAS
aaa authorization exec USERS local group IAS
radius server something.corp
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key mypassword
line vty 0 4
access-class 1 in
exec-timeout 0 0
authorization exec USERS
logging synchronous
login authentication USERS
transport input ssh
When I log in to the switch, the radius server is passing the corrrect attriubute
***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18 "shell:priv-lvl=7"
The switch is accepting it and putting you in the correct priv level.
***Radius-Test#sh priv
   Current privilege level is 7
I am not sure why it logs you in with the prompt for privileged EXEC mode when
you are in priv level 7. This shows that even though it looks like your in priv exec
mode, you are not.
***Radius-Test#sh run
                ^
   % Invalid input detected at '^' marker.
   Radius-Test#
Now this is where I am very lost.
I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
global config mode.
***Radius-Test#enable
   Radius-Test#
Debug log -
Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
***Radius-Test#sh priv
   Current privilege level is 15
   Radius-Test#
I have tried to set
***privilege exec level 15 enable
It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
Even if I try to do
***privilege exec level 7 show running-config (or other variations)
It will allow you to type sh run without errors, but it doest actually run the command.
What am I doing wrong?
I also want to get PKI working with radius.

I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

Not able to login to router using ssh when TACACS server is down

When TACACS server is not reachable router is not allowing the local password to login using ssh. Router's SSH debug says authentication is successful but ssh client gets % Authorization failed meassage and disconnects.
kindly see below debug output and config
SSH server end:
Sep 1 13:25:10.161: SSH1: starting SSH control process
Sep 1 13:25:10.165: SSH1: sent protocol version id SSH-1.5-Cisco-1.25
Sep 1 13:25:10.241: SSH1: protocol version id is - SSH-1.5-Cisco-1.25
Sep 1 13:25:10.241: SSH1: SSH_SMSG_PUBLIC_KEY msg
Sep 1 13:25:10.397: SSH1: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
Sep 1 13:25:10.397: SSH: RSA decrypt started
Sep 1 13:25:10.925: SSH: RSA decrypt finished
Sep 1 13:25:10.925: SSH: RSA decrypt started
Sep 1 13:25:11.165: SSH: RSA decrypt finished
Sep 1 13:25:11.197: SSH1: sending encryption confirmation
Sep 1 13:25:11.197: SSH1: keys exchanged and encryption on
Sep 1 13:25:11.269: SSH1: SSH_CMSG_USER message received
Sep 1 13:25:11.269: SSH1: authentication request for userid rao
Sep 1 13:25:16.297: SSH1: SSH_SMSG_FAILURE message sent
Sep 1 13:25:17.313: SSH1: SSH_CMSG_AUTH_PASSWORD message received
Sep 1 13:25:17.317: SSH1: authentication successful for rao
Sep 1 13:25:17.413: SSH1: requesting TTY
Sep 1 13:25:17.413: SSH1: setting TTY - requested: length 25, width 80; set: le
ngth 25, width 80
Sep 1 13:25:17.525: SSH1: SSH_CMSG_EXEC_SHELL message received
Sep 1 13:25:17.525: SSH1: starting shell for vty
Sep 1 13:25:25.033: SSH1: Session terminated normally
SSH Client end Log:
% Authorization failed.
[Connection to 10.255.15.2 closed by foreign host]
COnfig:
aaa authentication login default group tacacs+ line local
aaa authentication login NO_AUTH line
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization configuration default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
ip domain-name cbi.co.in
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 3
line vty 0 4
password xxxx
transport input telnet ssh
Kindly reply your views

I believe that the key to understanding your problem is to recognize the subtle difference between authentication and authorization. The authentication process appears that it does succeed but the authorization process has failed according to your error message:
% Authorization failed.
I see that most of your authorization commands include the parameter if-authenticated. But this command does not:
aaa authorization config-commands
I would suggest that you add the if-authenticated parameter to this command and see if it does not fix your problem.
HTH
Rick

IP address sent to TACACS server

Setup a TACACS server on out network to control console and telnet access to routers and switches. Most of our remote routers have multiple wan paths to the TACACS servers and may present a different IP address depending on which path is available or least busy. This causes an authentication failure that denies access to the equipment. Is there a way to configure the router to always send a specific address, either a loopback or internal LAN IP?

Hi
FYI,
Device Filter—Filters a network device (AAA client) that acts as a Policy Enforcement Point (PEP) to the end station based on the network device's IP address or name, or the network device group that it belongs to.
The device identifier can be the IP address or name of the device, or it can be based on the network device group to which the device belongs.
The IP address is a protocol-agnostic attribute of type IPv4 that contains a copy of the device IP address obtained from the request:
–In a RADIUS request, if Attribute 4 (NAS-IP-Address) is present, ACS obtains the IP address from Attribute 4; otherwise, if Attribute 32 (NAS-Identifier) is present, ACS obtains the IP address from Attribute 32, or it obtains the IP address from the packet that it receives.
–In a TACACS request, the IP address is obtained from the packet that ACS receives.

IOS 15 not working with my TACACS server

Hi All,
I recently made some changes to the way my Tacacs server (ACS4.2) handled groups etc..
This all works fine and when I log onto my devices I get prompted for my credentials, which authenticate against AD. However, since I made these changes none of the devices on IOS 15 now authenticate. I am immediately prompted for a local password rather than a username and password..
I understand that the commands for Tacacs changeda bit in IOS15 but from what I have read and changed I'm still having trouble. Config below from once of the routers I'm having trouble with...
Am I missing something?
aaa new-model
aaa group server tacacs+ ACS1
server name AUTH
aaa authentication login ACS-List group ACS1 local
aaa authorization exec ACS-List group ACS1 local
aaa accounting commands 15 ACS-List
action-type start-stop
group ACS1
aaa session-id common
acacs-server directed-request
tacacs server AUTH
address ipv4 172.x.x.x
key 7 xxxxxxxx
and on my VTY Lines...
privilege level 15
password 7 151619050826222A2F
authorization exec ACS-List
accounting commands 15 ACS-List
accounting exec ACS-List
login authentication ACS-List
length 0
transport input telnet ssh

I ran those debugs, then tried to login on another telnet session -
Jul 2 15:01:57.278: TPLUS: Queuing AAA Accounting request 1781 for processing
Jul 2 15:01:57.278: TPLUS: processing accounting request id 1781
Jul 2 15:01:57.278: TPLUS: Sending AV task_id=1997
Jul 2 15:01:57.278: TPLUS: Sending AV timezone=SIN
Jul 2 15:01:57.278: TPLUS: Sending AV service=shell
Jul 2 15:01:57.278: TPLUS: Sending AV start_time=1372777317
Jul 2 15:01:57.278: TPLUS: Sending AV priv-lvl=15
Jul 2 15:01:57.278: TPLUS: Sending AV cmd=terminal monitor
Jul 2 15:01:57.278: TPLUS: Accounting request created for 1781(admin)
Jul 2 15:01:57.278: TPLUS: using previously set server 172.x.x.x from group ACS1
Jul 2 15:01:57.278: TPLUS(000006F5)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: socket event 2
Jul 2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: wrote entire 144 bytes request
Jul 2 15:01:57.630: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.630: TPLUS(000006F5)/0/READ: Would block while reading
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: read 0 bytes
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: errno 254
Jul 2 15:01:57.990: TPLUS(000006F5)/0/3120C74C: Processing the reply packet
Jul 2 15:02:11.658: AAA/BIND(000006F9): Bind i/f
Jul 2 15:02:11.658: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
Jul 2 15:02:11.658: TPLUS: Queuing AAA Authentication request 1785 for processing
Jul 2 15:02:11.658: TPLUS: processing authentication start request id 1785
Jul 2 15:02:11.662: TPLUS: Authentication start packet created for 1785()
Jul 2 15:02:11.662: TPLUS: Using server 172.x.x.x
Jul 2 15:02:11.662: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: socket event 2
Jul 2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
Jul 2 15:02:12.014: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:12.014: TPLUS(000006F9)/0/READ: Would block while reading
Jul 2 15:02:12.366: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:12.366: TPLUS(000006F9)/0/READ: errno 254
Jul 2 15:02:12.366: TPLUS(000006F9)/0/3120C74C: Processing the reply packet
Jul 2 15:02:24.474: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
Jul 2 15:02:24.474: TPLUS: Queuing AAA Authentication request 1785 for processing
Jul 2 15:02:24.474: TPLUS: processing authentication start request id 1785
Jul 2 15:02:24.474: TPLUS: Authentication start packet created for 1785()
Jul 2 15:02:24.474: TPLUS: Using server 172.x.x.x
Jul 2 15:02:24.474: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: socket event 2
Jul 2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
Jul 2 15:02:24.826: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:24.826: TPLUS(000006F9)/0/READ: Would block while reading
Jul 2 15:02:25.178: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:25.178: TPLUS(000006F9)/0/READ: errno 254
Jul 2 15:02:25.178: TPLUS(000006F9)/0/3120C74C: Processing the reply packet

Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

I have a Nexus 7010 running
Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
>>ip radius source-interface mgmt 0
>>radius-server key XXXXX
>>radius-server host X.X.X.X key XXXXX authentication accounting
>>radius-server host X.X.X.X key XXXXX authentication accounting aaa
>>authentication login default group Radius_Group aaa authentication
>>login console local aaa group server radius Radius_Group
>>    server X.X.X.X
>>    server X.X.X.X
>>    source-interface mgmt0
Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
shell:roles="vdc-admin" in the Attribute Value field in the RADIUS server
Does anyone know if this works????
Thanks

I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
Attribute: cisco-av-pair
Requirement: Mandatory
Value: shell:roles*"network-admin vdc-admin"
For more information take a look at this link:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
Hope this helps
Thank you for rating helpful posts!

NAS configure with 2 ip address failed on AAA authentication

I have routers configured with 2 bvi interfaces for dlsw.
When I configure NAS setting with 2 ip address, sometime the AAA authentication failed to prompt for user authentication.
Should I used ip tacacs source-interface?
If I configure only one, if that interface is down, then I will not be authentication using AAA even the second bvi interface is up.

Chee
The AAA server identifies the client by a single IP address and the client always needs to use that address as the source address. If you have 2 BVI interfaces it may be that sometimes the source address is one and sometimes the source address may be the other. That would account for the fact that sometimes it promts for user authentication and sometimes it does not prompt.
If using 1 BVI as the source address creates the potential that sometimes it might not work because that interface was down but the other BVI was up, then perhaps you should consider configuring a loopback address and using the loopback address as the source address. If the loopback was the source address then it would not matter which BVI might be up and which might be down.
HTH
Rick

Prime 1.4 - no aaa authentication tacacs+ server

Similar Messages

Maybe you are looking for