dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1106
share rss forum feed

krock83

join:2010-03-02

[HELP] Cant get Tacacas up and running on a switch

Hello all.. I am stuck during my tacacs implementation. I have successfully upgraded some 460 routers and switches to use tacacs except for one switch out there that is refusing to use the service. It is a 2960 POE switch running

System image file is "flash:/c2960-lanlitek9-mz.122-50.SE4/c2960-lanlitek9-mz.122-50.SE4.bin
 

I can execute all the commands just fine, no error messages, but when all is done and I log out I can’t log in using the tacacs credentials, instead I can use the local database username and password to get in. I have also noticed that after I paste all necessary my commands for tacacas I don’t see the vty lines on the bottom of the sh running-config printout.

tacacs commands

aaa new-model
 
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
 
ip tacacs source-interface Vlan172
 
tacacs-server host 10.251.0.223
tacacs-server host 10.251.0.224
tacacs-server timeout 1
tacacs-server directed-request
tacacs-server key PASSWORD
 
line vty 0 4
login authentication default
 

switch Config

OAK-SW01#sh run
Building configuration...
 
Current configuration : 8721 bytes
!
! Last configuration change at 11:44:33 PDT Wed Aug 15 2012 by 
! NVRAM config last updated at 11:42:39 PDT Wed Aug 15 2012 by 
!
version 12.2
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname OAK-SW01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$KXqr$5MNqDO4eqAPVM867890ccvdfvfdSi1.zWI.
!
username user1111111 privilege 15 secret 5 $1$RDGg$zjcmAiWl1odfghjukewfXZqq9v7MHSB0
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
!
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
system mtu routing 1500
ip subnet-zero
!
!
no ip domain-lookup
!
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
 enrollment selfsigned
 serial-number
 revocation-check none
 rsakeypair HTTPS_SS_CERT_KEYPAIR
!
!
crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR
 certificate self-signed 01
  3082025D 308201C6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  3F311230 10060355 04031309 4F414B2D 53573031 2E312930 0F060355 04051308 
  33353044 37413830 30160609 2A864886 F70D0109 0216094F 414B2D53 5730312E 
  301E170D 39333033 30313032 32383234 5A170D32 30303130 31303030 3030305A 
  303F3112 30100603 55040313 094F414B 2D535730 312E3129 300F0603 55040513 
  08333530 44374138 30301606 092A8648 86F70D01 09021609 4F414B2D 53573031 
  2E30819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D2F9 
  D552897C 52B61E70 0BAD305F 5A44747D F19DA9C6 FA8222B2 3FB933DB 5623AC3D 
  9FAF8A3A 838E19C4 577C4B4E 202CA426 A6AA4A9A DA141A5E A359AF78 CA380260 
  44EE1854 6F3DC4CD C8F9485B BC1B0754 4AA15DA7 87350498 06468639 3073EF43 
  E388174F 427170E0 03682494 77BD5E12 F2FA17D2 4C72D44E C7C63169 87550203 
  010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603 551D1104 
  0D300B82 094F414B 2D535730 312E301F 0603551D 23041830 168014AC 7D051781 
  B00FF53F 5734131E CE720B9B 952BC030 1D060355 1D0E0416 0414AC7D 051781B0 
  0FF53F57 34131ECE 720B9B95 2BC0300D 06092A86 4886F70D 01010405 00038181 
  00A4C796 B47D2917 2C6A548A 5AE0926E E4FFE637 538F353B 07A3CC26 A70C696B 
  3A84DB98 DE2E7243 804CD6AD 7E73A64E 9E37BEBF E984D150 C0AAEADE 215FEE75 
  93356A83 2483F3BC ACB85A57 D9065CE2 0A1B510D 2CE6EDCD BD25D531 8A608094 
  E9978F58 D256FF0E 0FCC92F0 B9F051D2 75250C82 20EFCEDF A60F3244 67BAE543 B9
  quit
!
!         
!
!
!
errdisable recovery interval 120
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface Port-channel1
 switchport mode trunk
!
interface Port-channel2
 switchport mode trunk
!
interface FastEthernet0/1
 switchport access vlan 172
 switchport voice vlan 20
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 172
 switchport voice vlan 20
 spanning-tree portfast
!
interface FastEthernet0/4
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/5
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/7
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/8
 switchport access vlan 20
 spanning-tree portfast
!
interface FastEthernet0/9
 switchport access vlan 172
 switchport voice vlan 20
 spanning-tree portfast
!
interface FastEthernet0/10
 switchport access vlan 172
 switchport mode access
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/11
 switchport access vlan 172
 switchport voice vlan 20
 spanning-tree portfast
!
interface FastEthernet0/12
 description TUUSOAKDMC0001
 switchport access vlan 172
 speed 100
 duplex full
 spanning-tree portfast
!
interface FastEthernet0/13
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/14
 description OAK-VG01-Gi0/2
 switchport access vlan 172
 spanning-tree portfast
!
interface FastEthernet0/15
 switchport access vlan 172
 switchport voice vlan 20
 spanning-tree portfast
!
interface FastEthernet0/16
 description OAK-VG02-Gi0/2
 switchport access vlan 172
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/17
!
interface FastEthernet0/18
 description VG01-Gi0/1
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/19
!
interface FastEthernet0/20
 description VG02-Gi0/1
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/21
!
interface FastEthernet0/22
 description VG01-Gi0/0
 switchport access vlan 21
 spanning-tree portfast
!
interface FastEthernet0/23
!
interface FastEthernet0/24
 description VG02-Gi0/0
 switchport access vlan 21
 spanning-tree portfast
!
interface FastEthernet0/25
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/26
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/27
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/28
 switchport access vlan 172
 switchport voice vlan 20
 spanning-tree portfast
!
interface FastEthernet0/29
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/30
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/31
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/32
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/33
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/34
 switchport access vlan 172
 switchport voice vlan 20
 spanning-tree portfast
!
interface FastEthernet0/35
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/36
 switchport access vlan 172
 switchport voice vlan 20
 spanning-tree portfast
!
interface FastEthernet0/37
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/38
 switchport access vlan 172
 switchport voice vlan 20
 spanning-tree portfast
!
interface FastEthernet0/39
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/40
 switchport access vlan 172
 switchport voice vlan 20
 spanning-tree portfast
!
interface FastEthernet0/41
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/42
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/43
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/44
 switchport access vlan 172
 switchport voice vlan 20
 spanning-tree portfast
!
interface FastEthernet0/45
 switchport access vlan 172
 switchport voice vlan 21
 spanning-tree portfast
!
interface FastEthernet0/46
 description Security-Box
 switchport access vlan 172
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet0/47
 switchport access vlan 172
 switchport voice vlan 20
 spanning-tree portfast
!
interface FastEthernet0/48
 description CORP-ROUTER
 switchport access vlan 172
 switchport trunk native vlan 172
 switchport mode trunk
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet0/1
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet0/2
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet0/3
 switchport mode trunk
 channel-group 2 mode on
!
interface GigabitEthernet0/4
 switchport mode trunk
 channel-group 2 mode on
!
interface Vlan1
 no ip address
 no ip route-cache
!
interface Vlan10
 no ip address
 no ip route-cache
!
interface Vlan11
 no ip address
 no ip route-cache
!
interface Vlan100
 no ip address
 no ip route-cache
!
interface Vlan172
 ip address 10.250.1.9 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.250.1.1
no ip http server
no ip http secure-server
ip tacacs source-interface Vlan172
tacacs-server host 10.251.0.223
tacacs-server host 10.251.0.224
tacacs-server timeout 1
tacacs-server directed-request
tacacs-server key 7 0980DF0DSFSDSD8S0DSD0SD0SDS0DSPJLDLSD
!
control-plane
!
!
line con 0
line vty 5 15
!
ntp clock-period 36028767
ntp server 69.50.219.51
ntp server 216.129.110.22 prefer
end
 
OAK-SW01#ping 10.251.0.223
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.251.0.223, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/53/67 ms
OAK-SW01#
 

The router that this switch is up-linked to works just fine... Also some 240 other switches with the same model are working fine as well.

Any suggestions?

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Did you check the TACACS+ server to authenticate against the 10.250.1.9 IP address as the switch TACACS+ source interface IP?

krock83

join:2010-03-02
reply to krock83
I see nothing in the logs for that subnet on the TACACS+ it is like it's not even asking for it. I can ping back and fourth with no issues, but cant get it to authenticate.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to krock83
said by krock83:

interface FastEthernet0/48
description CORP-ROUTER
switchport access vlan 172
switchport trunk native vlan 172
switchport mode trunk
duplex full
spanning-tree portfast
!

It is not a good idea to have Spanning Tree Portfast enable on switch trunk port since it may create issue.

krock83

join:2010-03-02
reply to krock83
you are absolutley right... and I did not set this up, I will have to write this up to managment to get that taken off...

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to krock83
said by krock83:

I see nothing in the logs for that subnet on the TACACS+ it is like it's not even asking for it. I can ping back and fourth with no issues, but cant get it to authenticate.

Make sure that the TACACS+ server is configured to look for the 10.250.1.9 IP address as the switch TACACS+ source interface IP.

krock83

join:2010-03-02
reply to krock83
Tacacs is configured for the whole 10.250.0.0/18 range. This is very weird I dont have an explanation for this.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to krock83
You can try to telnet from the switch using 10.250.1.9 as source to the TACACS+ server on TCP port 49 and see if it goes through. Some TCP Dump on both sides (switch and server) will be helpful for better visibility.