https://community.cisco.com/t5/network-access-control/aaa-config-question/m-p/899023#M391620 <HTML><HEAD></HEAD><BODY><P>Other way can be to use ip tacacs source -interface command on the router. So that, router will always use that specific interface to send tacacs packets.</P><P></P><P>Where interface would be the IP that is mentioned in acs, aaa-clients</P><P></P><P>It is recommended to use this command on layer 3 devices.</P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P></P><P></P></BODY></HTML> Fri, 08 Feb 2008 14:21:10 GMT Jagdeep Gambhir 2008-02-08T14:21:10Z https://community.cisco.com/t5/network-access-control/aaa-config-question/m-p/899019#M391616 <P>I have configured aaa on two routers. When I telnet into them, one works fine with the ACS server. The other router returns a password prompt (enable secret). Both configs appear to have same aaa code. Is this an aaa issue? </P> Sun, 10 Mar 2019 22:38:39 GMT https://community.cisco.com/t5/network-access-control/aaa-config-question/m-p/899019#M391616 witmer.bob 2019-03-10T22:38:39Z https://community.cisco.com/t5/network-access-control/aaa-config-question/m-p/899020#M391617 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>TACACS+ Operation</P><P>Three possible activities can be performed during TACACS+ operation. The first operation performed is authentication. This is done to clearly identify the user. The second operation is authorization and is possible only once a user has been identified. Therefore, you must authenticate prior to authorizing. The third operation is accounting. The accounting process keeps track of actions performed. The three processes are each independent of the other.</P><P></P><P>TACACS+ and Authentication</P><P>When authentication is performed in TACACS+, three distinct packet exchanges take place. The three types of packets are</P><P></P><P>START This packet is used initially when the user attempts to connect.</P><P></P><P>REPLY Sent by the AAA server during the authentication process.</P><P></P><P>CONTINUE Used by the AAA client to return username and password to the AAA server</P><P></P><P>START and CONTINUE packets are always sent by the AAA client, and REPLY packets are always sent by the TACACS+ server</P><P></P></BODY></HTML> Wed, 06 Feb 2008 18:35:54 GMT https://community.cisco.com/t5/network-access-control/aaa-config-question/m-p/899020#M391617 syedsohailsarwar 2008-02-06T18:35:54Z https://community.cisco.com/t5/network-access-control/aaa-config-question/m-p/899021#M391618 <HTML><HEAD></HEAD><BODY><P>Thank you! I am seeing the failed attempt on the ACS server. However, since the Uname prompt is never seen on the rtr, it appears the REPLY is not making it from ACS to rtr. </P><P>Note: The failed attempt is instantaneous on the ACS server, no lengthy timeout. I can trace route from ACS to rtr without issue. Any thoughts?</P></BODY></HTML> Wed, 06 Feb 2008 19:12:17 GMT https://community.cisco.com/t5/network-access-control/aaa-config-question/m-p/899021#M391618 witmer.bob 2008-02-06T19:12:17Z https://community.cisco.com/t5/network-access-control/aaa-config-question/m-p/899022#M391619 <HTML><HEAD></HEAD><BODY><P>Issue was fixed by extending the aaa client IP address on ACS server.</P></BODY></HTML> Fri, 08 Feb 2008 13:38:31 GMT https://community.cisco.com/t5/network-access-control/aaa-config-question/m-p/899022#M391619 witmer.bob 2008-02-08T13:38:31Z https://community.cisco.com/t5/network-access-control/aaa-config-question/m-p/899023#M391620 <HTML><HEAD></HEAD><BODY><P>Other way can be to use ip tacacs source -interface command on the router. So that, router will always use that specific interface to send tacacs packets.</P><P></P><P>Where interface would be the IP that is mentioned in acs, aaa-clients</P><P></P><P>It is recommended to use this command on layer 3 devices.</P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P></P><P></P></BODY></HTML> Fri, 08 Feb 2008 14:21:10 GMT https://community.cisco.com/t5/network-access-control/aaa-config-question/m-p/899023#M391620 Jagdeep Gambhir 2008-02-08T14:21:10Z