Send documentation comments to mdsfeedback-doc@cisco.com
17-10
Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x
OL-9285-05
Chapter 17 Troubleshooting RADIUS and TACACS+
AAA Issues
Verifying TACACS+ Server Groups Using the CLI
To verify or change the TACACS+ server groups using the CLI, follow these steps:
Step 1 Use the show running-config command to view the TACACS+ configuration for the server groups.
switch# show running-config | begin aaa
aaa group server radius RadiusGroup
server 10.1.1.1
server 10.2.3.4
aaa group server tacacs TacacsGroup
server 11.5.4.3
server 11.6.5.4
Step 2 Use the aaa group server tacacs command to configure the TACACS+ servers that you want in this
server group.
Note CFS does not distribute AAA server groups. You must copy this configuration to all relevant
switches in the fabric.
User Is Not in Any Configured Role
Symptom User is not in any configured role.
Table 17-3 User Is Not In Any Configured Role
Symptom Possible Cause Solution
User is not in any
configured role.
User configuration on AAA server does
not have role attributes set.
For RADIUS, configure the vendor-specific attributes on the
server for the role using:
Cisco-AVPair = shell:roles="
rolename1 rolename2"
.
For TACACS+, configure the attribute and value pair on the
server for the role using:
roles="
rolename1 rolename2"
.
Verify that all roles are defined on the switch.