03-10-2023 01:29 AM
We configured TACACS over Extreme Switch but you can also log in with a local account.
My Configuration is
configure tacacs primary server 172.16.11.52 49 client-ip 172.16.0.10 vr VR-Default
configure tacacs primary shared-secret encrypted "#$H4H5oLIn4H+TRgtYrxiHVtFwGtljZw=="
configure tacacs-accounting primary server 172.16.11.52 49 client-ip 172.16.0.10 vr VR-Default
configure tacacs-accounting primary shared-secret encrypted "#$hp08PEW0oz0kZBjQaP0bHYqBdCcqSg=="
enable tacacs
configure tacacs timeout 60
enable tacacs-accounting
enable tacacs-authorization
configure tacacs fallback disallow
configure tacacs priv-lvl required
create account admin cisco encrypted "$5$sRVgQN$aL8UAzkEwMLmGPy82v1On6QLuvBeKdjVQGCRsUmcjq3"
03-10-2023 07:49 AM
Hello!
Generally this issue is due to the TACACS+ server not replying with a 'fail' or 'accept' message. It is probably sending something else in response leading the switch to think that the server is not working, therefore, it falls back to local authentication.
These articles may be helpful:
https://extremeportal.force.com/ExtrArticleDetail?an=000093509
https://extremeportal.force.com/ExtrArticleDetail?an=000082285
You may also need to collect a PCAP of the TACACS+ exchange, decode it via wireshark, and see what the TACACS server is replying with. If it is not a 'Fail' or 'Accept', that would be the issue.
Hope that helps!