Verifying Tacacs+ Server Groups Using The Cli; User Is Not In Any Configured Role - Cisco 9134 - MDS Multilayer Fabric Switch Troubleshooting Manual

AAA Issues
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m

Verifying TACACS+ Server Groups Using the CLI

To verify or change the TACACS+ server groups using the CLI, follow these steps:
Step 1 Use the show running-config command to view the TACACS+ configuration for the server groups.
switch# show running-config | begin aaa
aaa group server radius RadiusGroup
aaa group server tacacs TacacsGroup
Use the aaa group server tacacs command to configure the TACACS+ servers that you want in this
Step 2
server group.
Note

User Is Not in Any Configured Role

Symptom
Table 17-3 User Is Not In Any Configured Role
Symptom Possible Cause
User is not in any User configuration on AAA server does
configured role. not have role attributes set.
Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x
17-10
server 10.1.1.1
server 10.2.3.4
server 11.5.4.3
server 11.6.5.4
CFS does not distribute AAA server groups. You must copy this configuration to all relevant
switches in the fabric.
User is not in any configured role.
Chapter 17
Solution
For RADIUS, configure the vendor-specific attributes on the
server for the role using:
Cisco-AVPair = shell:roles=" rolename1 rolename2"
For TACACS+, configure the attribute and value pair on the
server for the role using:
roles=" rolename1 rolename2"
Verify that all roles are defined on the switch.
Troubleshooting RADIUS and TACACS+
.
.
OL-9285-05