After configuring tacacs cannot access to cli

Gngogh · June 2015

After configuring Tacacs+ cannot access throught tacacs or telnet:

!
aaa new-model
!
!
aaa group server tacacs+ TACACS+CG
server [server ip address]
server [server ip address]
!
aaa authentication login default group TACACS+CG enable
aaa authentication enable default group TACACS+CG enable
aaa authorization exec default group TACACS+CG if-authenticated
aaa authorization commands 0 default group TACACS+CG if-authenticated
aaa authorization commands 1 default group TACACS+CG if-authenticated
aaa authorization commands 15 default group TACACS+CG if-authenticated
!
aaa session-id common
!
tacacs-server host [server ip address] timeout 3 key 7 [key]
tacacs-server host [server ip address] timeout 3 key 7 [key]
!

What am i doing wrong? help is appreciated.

Hondabuff · July 2015

I run my production network like this. I would probably not use the if-authenticated because if you can not reach the acs server then you get locked out. I use 2 privilege levels on my ACS 7 and 15. 7 is for the NOC users and they only have a few show commands. Under my vty lines I use the R1(config-line)#authorization exec default. Once you test by ssh or telnet, the "P" in password will be lower case if Tacacs is working and capital P if it is not.

password: vs Password:

!
aaa new-model
!
!
aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+ local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
tacacs-server host 192.168.1.5 key Cisco123!

DCD · July 2015

What is your console and VTY configuration.

d4nz1g · July 2015

deb aaa authen is always helpful

After configuring tacacs cannot access to cli

Comments