Hello.
I'm having a hell of a time trying to troubleshoot why one of our switches is misbehaving when trying to apply AAA Tacacs+ configuration.
It works on other switches, and I've verified all the ACL's from the switch to the core. On the switch(2960S), I input the test aaa group %GROUP %USERNAME %PASSWORD new-code command and it authenticates successfully
Immediately after that, I'll input:
aaa new-model aaa authentication login default group %GROUP local aaa authentication enable default group %GROUP enable aaa authorization console aaa authorization config-commands aaa authorization exec default group %GROUP if-authenticated aaa authorization commands 1 default group %GROUP if-authenticated aaa authorization commands 15 default group %GROUP if-authenticated aaa accounting commands 1 default start-stop group %GROUP aaa accounting commands 15 default start-stop group %GROUP aaa session-id common
I will immediately try the same test command and I get a User Rejected message, after this I wont even be able to login to the switch with the local account anymore and I have to restart the switch.
I've traced the path and verified my ACL's. The switch can ping the TACACS server with the management vlan set as the source. The only thing I can think of is maybe I need the Ip tacacs source-interface %MGMTVLAN command on this switch(even though it's not present in the configs of other properly authenticating switches of the same model and IOS version(12.2)
I'm waiting for the upcoming maintenance window so I can try again with debugging turned on, and restart the switch all I want - but the source-interface command is the only thing I have in mind to try as a solution so far. I'd appreciate some ideas.
No comments:
Post a Comment