186
Enhancements in Release F.02.02
TACACS+ Authentication for Centralized Control of Switch Access Security
Troubleshooting TACACS+ Operation
All Users Are Locked Out of Access to the Switch. If the switch is functioning properly, but no
username/password pairs result in console or Telnet access to the switch, the problem may be due
to how the TACACS+ server and/or the switch are configured. Use one of the following methods to
recover:
■ Access the TACACS+ server application and adjust or remove the configuration parameters
controlling access to the switch.
■ If the above method does not work, try eliminating configuration changes in the switch that
have not been saved to flash (boot-up configuration) by causing the switch to reboot from
the boot-up configuration (which includes only the configuration changes made prior to the
last
write memory command.) If you did not use write memory to save the authentication
configuration to flash, then pressing the Reset button or cycling the power reboots the switch
with the boot-up configuration.
■ Disconnect the switch from network access to any TACACS+ servers and then log in to the
switch using either Telnet or direct console port access. Because the switch cannot access
a TACACS+ server, it will default to local authentication. You can then use the switch’s local
Operator or Manager username/password pair to log on.
■ As a last resort, use the Clear/Reset button combination to reset the switch to its factory
default boot-up configuration. Taking this step means you will have to reconfigure the switch
to return it to operation in your network.
No Communication Between the Switch and the TACACS+ Server Application. If the
switch can access the server device (that is, it can
ping the server), then a configuration error may be
the problem. Some possibilities include:
■ The server IP address configured with the switch’s tacacs-server host command may not be
correct. (Use the switch’s
show tacacs-server command to list the TACACS+ server IP address.)
■ The encryption key configured in the server does not match the encryption key configured
in the switch (by using the
tacacs-server key command). Verify the key in the server and
compare it to the key configured in the switch. (Use
show tacacs-server to list the key.)
■ The accessible TACACS+ servers are not configured to provide service to the switch.
Access Is Denied Even Though the Username/Password Pair Is Correct. Some reasons for
denial include the following parameters controlled by your TACACS+ server application:
■ The account has expired.
■ The access attempt is through a port that is not allowed for the account.