TACACS for AAA on Cisco Switch

I have configured our switches for TACACS authentication however it does not seem to be working. I know it is trying as if I remove the secondary login option (local) I am denied access completely but I see no log on the ACS server. Any ideas?, oh and this is going across an any to any VPN

Can you log into your switch, and turn on the debug aaa authentication, and debug tacacs.
Then go ahead and issue a test aaa group.. command to test the authentication, do you see it timing out? Are you using a source interface for this traffic? is that source interface inside the lan to lan intersting traffic?

Similar Messages

  • Using TACACS+ for AAA on Cisco ASA

    Hello -
    I have compiled the TACACS+ server software (downloaded from ftp.cisco.com a while ago) und looking for any hints how to configure roles for full access, read-only access for our ASA firewalls. Does anybody have configuration examples for the tacacs+ configuration and the ASA configuration? Any hints are welcome.
    Many thanks in advance!
    Regards,
    Stefan

    Have a look at the attached doc
    Narayan

  • Tacacs+ Enable password is not working on Cisco Switch

    Ladies/Gents,
    I am facing issues when enabling tacacs authentication on my cisco switch, aaa login/password is working, aaa enable is not. Underneath details of my devices.
    Cisco ACS 1121: version 5.1
    Cisco Switch 3560: ios ver 15
    I also attached here some documents for your review and comment (switch aaa configuration, debug aaa authentication, acs captured screen)
    Hoping to receive an update and comment from you soon.
    Thanks,
    Arnold

    Hi Edward,
    I created a new shell profiles named "root" as the default one "Permit Access" can't be access or modified, underneath the steps I've made.
    1. Create a new shell profile name "root" with max privilege of 15. And then used it in "Default Device Admin/Authorization/Rule-1" shell profile - see attached file for more details.
    2. Telnet the Switch and then Issue "debug aaa authentication" using both "Root Shell" and "Permit Access" applied in Rule-1 profile.
    Note:
    I also attached here the captured screen and debug result for the "shell profiles"

  • Converged 10gig server adapters and Cisco switches

    I have little network with 4 vsphere servers connected to clustered 3750x with 4*1Gig NICs per server.
    Servers are connected to central storage with two 8Gbps FC links per server. I don’t have FO switches cause central storage is equipped with 4 FO ports per controller.
    I want to upgrade servers and central storage. Servers will have two converged 10gig (HP FlexFabric) and 4*1 Gig interfaces
    I need to upgrade 3750x switches with new one with 10 gig interfaces.
    I am looking for two new Cisco switches that can handle converged traffic from server 10gig interfaces (iSCSI, FCoE).
    Nice feature will be if it is possible to connect existing FC storage to the new switches.
    Kind regards,
    Vice Lacmanovic

    Hello, vlacmanov. 
    I recommend at least the Nexus 5000 to support iSCSI and FCoE over your 10GE interface. (http://cs.co/9001SoyL) Do you already have any existing Cisco Nexus on your network?
    Let me know if you have additional concerns or e-mail ([email protected]) me directly. Kind regards. 

  • Tacacs-server key working in some Cisco switches for AAA, but not in other switches???

    Good day,
    Has anyone experienced this before?  I am using Cisco ACS 5.2.  I have a very simple word (no, not cisco ) for my tacacs-server key.  I've used the same key within the ACS and on two other Cisco switches, and AAA is working fine between the two switches; however, in setting up the key via the ACS and on a third Cisco switch and using PuTTY, I'm getting the error of "Access Denied.  Using keyboard-interactive authentication."
    I've re-entered the simple tacacs key multiple times within the ACS and on the switch making sure to not fat finger or misspell it.
    I don't think there is a problem with the AAA setup I have within the switches as all of the AAA configs are the same on every switch we have.
    Any other possible ideas anyone can suggest? 
    Cliffs:
    -tacacs-server key is a  simple key and is the same for every switch and within ACS
    -AAA config is the same on every switch, so I do not believe it to be a AAA config issue
    -Running config on switch that is not working is pretty much the same as the other two working switches
    Any advice is greatly appreciated.
    Thanks,
    Y

    Hi, and thank you for your reply back; however, when I got into the Authentication logs, I see nothing, like it's not even logging the failed attempts.

  • AAA and Cisco MDS switches.........

    have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.
    Could anyone help me in this regard.

    local. Below is the script I used to configure TACACS (Cisco ACS 4.0) on Cisco MDS switches.
    config t
    # Enable TACACS+
    tacacs+ enable
    tacacs-server host nnn.nnn.nnn.nnn key 0 xxxxxx
    tacacs-server host mmm.mmm.mmm.mmm key 0 xxxxx
    # Specify TACACS+ Server groups
    aaa group server tacacs+ tacgrp
    server nnn.nnn.nnn.nnn
    server mmm.mmm.mmm.mmm
    aaa authentication login default group tacgrp
    aaa authentication login console local
    # Enable TACACS+ Accounting
    aaa accounting default group tacgrp local
    end
    copy running-config startup-config
    Thanks
    MOhan

  • Aaa authentication using tacacs+ for LAP

    WIth Autonomous AP, you can configure aaa authtentication using Tacacs+.
    In lightweight AP, do u have similar function where u authenticate using tacacs+ when u telnet/ssh into the LAP after it is registered to the WLC?
    Rgds
    Eng Wee

    There really isn't anything you can do on the LAP through telnet/ssh.  You can enable TACACS for access to the controller.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

  • Privilege mode authentication using Tacacs for Cisco Routers

    I am trying to set up a test environment where I need to be able to be asked for both a username and password while entering enable mode from exec mode on a cisco IOS router. I was told the only way to do that is through Tacacs. But I've not seen any such configuration options on Tacacs in order to set it up right. Has someone ever did a setup like this before. I would appreciate any help on this. Thanks. 

    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    service compress-config
    hostname 2621-3
    boot-start-marker
    boot system flash c2600-i-mz.123-26.bin
    boot-end-marker
    logging buffered 5001 debugging
    no logging console
    no logging monitor
    enable password cisco
    memory-size iomem 10
    clock timezone CST -7
    clock summer-time CST recurring
    aaa new-model
    aaa authentication login default local
    aaa authentication enable default group tacacs+
    aaa authorization exec default group tacacs+ local
    aaa session-id common
    ip subnet-zero
    ip cef
    no ip domain lookup
    ip domain name int.voyence.com
    ip name-server 192.168.21.5
    !key chain jetef
    key 10
      key-string c1sco
    modemcap entry ZOOM
    modemcap entry ZOOM
    username jeff password 0 jeff
    tacacs-server host 192.168.21.230 key cisco
    tacacs-server host 10.6.230.32
    tacacs-server directed-request
    tacacs-server key dakey
    line con 0
    exec-timeout 15 0
    logging synchronous
    speed 115200
    line aux 0
    exec-timeout 15 0
    password 7 104D000A0618
    logging synchronous
    modem InOut
    modem autoconfigure discovery
    terminal-type monitor
    transport input all
    stopbits 1
    flowcontrol hardware
    line vty 0 4
    exec-timeout 15 0
    password cisco
    private
    logging synchronous

  • Rrack mounting brackets for Cisco switch SF300-48P ?

    Does anyone know how to get rack mounting brackets for Cisco switch SF300-48P ?

    You might be able to get them through Cisco support.  Check this thread: https://supportforums.cisco.com/discussion/11201291/sf-300-series-rack-mount-brackets

  • Has anyone develped an EM plug-in for Cisco switches or routers

    Folks,
    Has anyone develped an EM plug-in for Cisco switches or routers? Please reply to this thread if you have developed one and would like to share your experience in developing this plug-in?
    Thanks,

    It's probably not the conversion from CMYK to RGB that's causing the problem, but color profile (ICC) embedding in Photoshop. Fireworks doesn't read color profiles. You might be able to create an action to remove the color profile in Photoshop and then batch process the images with it.

  • What's "SAVE" configuration command for Cisco switch/ router?

    What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well,
    but so long, any other command that easy to remenber?

    What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well, but so long,
    any other command that easy to remenber?
    yes, here: Switch#write,and want to know more about the Cisco switch, please visit:http://www.3anetwork.com/cisco-switches-price_c1

  • Configure Domain Controller ( PDC emulator) as NTP source for Cisco switch 6509

    Hi All,
      My Org consists of 2 DC one Physical and One Virtual. All Roles are on Physical machine. I ran a W32tm /Query /Configuration command  on PDC emulator and the results are confusing.My PDC is using time source VMICTimeProvider a syou can see below.
    VMICTimeProvider (Local)
    DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
    Enabled: 1 (Local)
    InputProvider: 1 (Local)
    My first Question is that Is it Ok for PDC emulator to use this time source or should I change to some Other source like pool.ntp.org or time.windows.com,0x1.
    My Second Question is that I  have a core switch cisco 6509 and I want this switch to use my NTP server (PDC emulator ) as NTP source,but at present I cannot as I am getting this error on switch.(no select intersectionTP )
    Can Any one help ... Its is urgent
    Thanks in Advance
    EagleAsh

    You should not make your DCs sync their time with your Hypervisor. This usually ends with time synchronization problem so I would recommend to disable that on your DCs and domain joined VMs and use an external NTP server to sync time on your PDC while using
    your AD forest topology for time sync on other DCs and domain-joined computers.
    I have already started a Wiki article that describes how to configure time sync in an AD domain and you might consider using the GPO configuration option that is stated: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
    For the CISCO switch, I would recommend asking them in CISCO forums.
    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Get Active Directory User Last Logon
    Create an Active Directory test domain similar to the production one
    Management of test accounts in an Active Directory production domain - Part I
    Management of test accounts in an Active Directory production domain - Part II
    Management of test accounts in an Active Directory production domain - Part III
    Reset Active Directory user password

  • Virtual IP for two redundant PCs in Cisco Switch

    Hi Team,
    We have redundant Computers connected to Switch . There is the third  system also connected to the switch.
    We want the two redundant PC ethernet to look like one for the third system. We want a virtual IP for the third System to get connected to any one of the  two PC’s.
    we have a Cisco Small business switch.Is that possible in this switch to create a virtual IP for redundancy ?
    which cisco switch supports this functionality ??
    Attached is the diagram of the setup.

    Hi,
    That is not possible with just a switch.  You need some sort of load balancer in front of the switch with a virtual VIP.  So when a packet comes from SCATA to PC1 and if PC1 is not available it will send it to PC2. A10 makes pretty good load balancers.
    http://www.a10networks.com/
    Is that what you are trying to do?
    HTH

  • Firewall Ports Required for NAC manager to manage/add Cisco switch

    Hi,
    I am trying to add cisco switches to the NAM, however i am not able to add the switch as I am getting the error "unable to control switch" I have tried to open ports 161-162 on the firwall; if i was to allow any traffic between the NAM and switch, the cisco NAM is able to add/manage the switch.
    Not sure what other ports may be required for cisco NAM to manage the switch?
    Thanks.

    Hi,
    AFAIK, only the UDP ports 161-162 for the SNMP communication need to be open.
    Please make sure you have configured the correct port on the switch:
    (config)# snmp-server host 172.16.1.61 traps version 2c cam_v2 udp-port 162 mac-notification snmp
    If still not working i would check the logs on the firewall for any blocked traffic between the CAM and the switch.
    HTH,
    Tiago
    If  this helps you and/or  answers your question please mark the question  as "answered" and/or rate  it, so other users can easily find it.

  • Refurbished Cisco Switches, worth it for home lab?

    Robert5205 wrote:
    Cablesandkits.com has some great prices on old Cisco gear. This week they have a 3560 PoE 48-port switch for $150.
    Yes, it is absolutely worth it to have real hardware in your hands. Packet tracing is fine, but it's not real life.
    Yeah I believe they are being sold by Cablesandkits through newegg.  Any suggestions on which switch or features I should look for?  Really I want something that's managed but beyond that I'm not sure. 

    So I been thinking about getting a decent switch to play around with at home.  During my search I found there's a good bit of "refurbished" Cisco switches online and was wondering if they are worth trying out.  Figured they are beyond EOL hence the cheapness, the one I'm looking at is a Cisco 2900 series for like $30 bucks.  Pretty new in IT and working on my Network+ and starting to look into the Cisco certs at the moment so having an actual Cisco switch would be useful. 
    This topic first appeared in the Spiceworks Community

Maybe you are looking for