Tacacs authorization issue

Post Reply
Willons
Member
Posts: 1
Joined: 10 Jan 2021 09:39

Tacacs authorization issue

Post by Willons »

Hello,

We have OmniSwitch 6850, Software version 6.4.4.551.R01 , with aaa configured:
aaa tacacs+-server “ise1” host 10.20.20.3 key ***** port 49 timeout 5
aaa tacacs+-server “ise2” host 10.20.20.4 key ***** port 49 timeout 5
aaa accounting session “ise1” “ise2”
aaa accounting command “ise1” “ise2”
aaa authentication console “ise1” “ise2” “local”
aaa authentication ftp “ise1” “ise2” “local”
aaa authentication http “ise1” “ise2” “local”
aaa authentication ssh “ise1” “ise2” “local”
aaa authentication snmp “local”
no aaa authentication telnet


Our tacacs+ servers are in distributed deployment pair.
When our primary tacacs+ server “ise1” is down and we try to authorise to switch over ssh, we get an error message:
Authorization failed. Tacacs server unreachable, please try later

It is strange that the tacacs server in the logs after the login attempt shows us that the authorization was successful.

Our Cisco switches do not have this error.

Also when we try to login to switch we can see syslog message: OS6850 SSH(109) Data: [SSH 39] Error sending CliShell-Terminate.

How to fix an authorization error on a switch? What should we do to login the switch when the primary tacacs server is down?
Post Reply

Return to “OmniSwitch 6850 / 6850E”