TACACS+ not work on switch

  • 0
  • 1
  • Problem
  • Updated 8 months ago
  • Not a Problem
Hello, community!
Sorry for my English.
I have a several switches Extreme Summit x440-24x-10G. They installed on network to core and aggregate level.
Recently was required to set up authorization TACACS+ and accounting
On all swithces installed ExtremeXOS version 15.5.3.4 v1553b4
Everywhere configuration identical (IP's and names are different :))

Commands to configure tacacs:
configure tacacs primary server xxx.yyy.zzz.hh 49 client-ip [sw_ip] vr VR-Default
configure tacacs primary shared-secret **********
configure tacacs secondary server xxx.yyy.zzz.h2 49 client-ip [sw_ip] vr VR-Default
configure tacacs secondary shared-secret ***********
configure tacacs timeout 30

configure tacacs-accounting primary server xxx.yyy.zzz.hh 49 client-ip [sw_ip] vr VR-Default
configure tacacs-accounting primary shared-secret ***********
configure tacacs-accounting secondary server xxx.yyy.zzz.h2 49 client-ip [sw_ip] vr VR-Default
configure tacacs-accounting secondary shared-secret ************
configure tacacs-accounting timeout 30

enable tacacs
enable tacacs-accounting

I have next problem - on aggregate switches tacacs authorization works, but tacacs-accounting not work - entered commands don't save on server, but tacacs-accounting counter increased. On core switches tacacs authorization as earned only one, on other two core swithes authorization don't work (and accounting is too) - when i connect to switch through telnet, it prompts for login, i enter login and tacacs password - it expects a few time and says that login incorrect.

In logs I see next:

16:53:11.80 <Warn:AAA.authFail> Login failed for user "tacacs_user" through telnet (ip comp)
16:53:11.79 <Erro:AAA.TACACS.goLocal> Failed to send authentication to xxx.yyy.zzz.hh trying local. 16:53:11.79 <Erro:AAA.TACACS.sockwriteError> Error writing to remote host xxx.yyy.zzz.hh error=-1 16:52:41.76 <Warn:AAA.TACACS.swapHost> Swap host to xxx.yyy.zzz.hh 16:52:41.76 <Erro:AAA.TACACS.sockwriteError> Error writing to remote host xxx.yyy.zzz.h2 error=-1
Diagnostic: ping to tacacs servers without loss, traceroute to tacacs server from work and not work swithces are identically. There are no errors - checked several times and compare configuration work and no work switch.
Photo of Andrey Bakhteev

Andrey Bakhteev

  • 70 Points

Posted 1 year ago

  • 0
  • 1
Photo of Drew C.

Drew C., Community Manager

  • 37,322 Points 20k badge 2x thumb
Hi Andrey,
What TACACS+ server software are you using?
Does anybody here knows which EXOS versions DO supports tacacs and which ones DON'T ?
Any Datasheet or Config Guide ?

Regards
Photo of Drew C.

Drew C., Community Manager

  • 37,322 Points 20k badge 2x thumb
TACACS+ has been supported for many years on EXOS (and still is).