https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019553#M396660 <HTML><HEAD></HEAD><BODY><P>I did match all the keys, but just tried deleting the NDG key and retest and got the same results. Switch comes back with % Backup authentication.</P><P>Also note that in the failed attempts report, I can change the keys, so they don't match, and get an Authentication Failed key mismatch entry in the report. When the keys match there is no entry in the failed attempts report and no entry in the passed authentications report. Tacacs+ accounting report shows an entry for the username I am using and shows start acct flag and service shell.</P></BODY></HTML> Fri, 09 May 2008 14:31:12 GMT dguse 2008-05-09T14:31:12Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019551#M396658 <P>I am having problems getting TACACS+ AAA working with my 3560 switches. I have set up users, groups, and NDG on ACS SE as per the CS ACS course material and have triple checked my keys to make sure they match. I have attached debug from switch for authentication, authorization and tacacs+. Can someone please tell me what I am doing wrong?</P><P></P><P> </P><P></P> Sun, 10 Mar 2019 22:50:15 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019551#M396658 dguse 2019-03-10T22:50:15Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019552#M396659 <HTML><HEAD></HEAD><BODY><P>This seems to be a key mismatch. Please note that if you have NDG key also configured that can cause key mismatch.</P><P></P><P>Imp: NDG key overwrites aaa-client key.</P><P></P><P>Please use the same key for NDG and client or simply remove the NDG key.</P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P></BODY></HTML> Fri, 09 May 2008 13:36:01 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019552#M396659 Jagdeep Gambhir 2008-05-09T13:36:01Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019553#M396660 <HTML><HEAD></HEAD><BODY><P>I did match all the keys, but just tried deleting the NDG key and retest and got the same results. Switch comes back with % Backup authentication.</P><P>Also note that in the failed attempts report, I can change the keys, so they don't match, and get an Authentication Failed key mismatch entry in the report. When the keys match there is no entry in the failed attempts report and no entry in the passed authentications report. Tacacs+ accounting report shows an entry for the username I am using and shows start acct flag and service shell.</P></BODY></HTML> Fri, 09 May 2008 14:31:12 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019553#M396660 dguse 2008-05-09T14:31:12Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019554#M396662 <HTML><HEAD></HEAD><BODY><P>In layer 3 devices, other then normal aaa commands, we also need to define tacacs source interface so that it uses only that interface for sending tacacs request to acs.</P><P></P><P>AAA-Switch(config)#ip tacacs source-interface (vlan or loopback or gigabit interface)</P><P></P><P>In above command we need to define the interface that is listed in acs---&gt;network configuration---&gt;Router.</P><P></P><P></P><P>Regards,</P><P>~JG</P></BODY></HTML> Fri, 09 May 2008 14:48:32 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019554#M396662 Jagdeep Gambhir 2008-05-09T14:48:32Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019555#M396663 <HTML><HEAD></HEAD><BODY><P>Here is the config I have on the switch. (sorry should have sent this already).</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ none</P><P>aaa authentication login no_aaa none</P><P>aaa authorization exec default group tacacs+ none</P><P>aaa authorization exec no_aaa none</P><P>aaa authorization commands 1 default group tacacs+ none</P><P>aaa authorization commands 15 default group tacacs+ none</P><P>aaa authorization commands 15 no_aaa none</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>!</P><P>!</P><P>interface VLAN1</P><P> ip address 10.200.1.16 255.255.255.0</P><P> no ip directed-broadcast</P><P> no ip route-cache</P><P>!</P><P>ip tacacs source-interface VLAN1</P><P>!</P><P>tacacs-server host 10.200.35.250</P><P>tacacs-server key cisco</P><P>!</P><P>line con 0</P><P> authorization commands 15 no_aaa</P><P> authorization exec no_aaa</P><P> login authentication no_aaa</P><P> transport input none</P><P> stopbits 1</P><P>line vty 5 15</P><P>!</P></BODY></HTML> Fri, 09 May 2008 15:19:31 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019555#M396663 dguse 2008-05-09T15:19:31Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019556#M396665 <HTML><HEAD></HEAD><BODY><P>Any other ideas? </P><P>As a test, I set up a Windows server and installed ACS 4.1(2) Build 23 on it. Put same config as on SE and it works. I have checked the config on both the Windows and the SE and they are the same from what I can tell.</P><P></P><P>Please help!!</P><P></P><P></P></BODY></HTML> Thu, 15 May 2008 12:49:21 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019556#M396665 dguse 2008-05-15T12:49:21Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019557#M396667 <HTML><HEAD></HEAD><BODY><P>Do you have dual NIC on acs windows ?</P><P></P><P></P><P></P><P>Regards,</P><P>~JG</P></BODY></HTML> Thu, 15 May 2008 14:28:31 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019557#M396667 Jagdeep Gambhir 2008-05-15T14:28:31Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019558#M396668 <HTML><HEAD></HEAD><BODY><P>Yes, but I am only using one. We have fully tested Radius and Tacacs+ on the Windows ACS and everything is working perfectly. Can't figure out why the SE's will not.</P></BODY></HTML> Fri, 16 May 2008 10:33:52 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019558#M396668 dguse 2008-05-16T10:33:52Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019559#M396669 <HTML><HEAD></HEAD><BODY><P>Ohh, so its SE that is not working.</P><P></P><P>Do this, ACS---&gt;Network configuration====&gt;Proxy Dis table---&gt;Click on default====&gt; If you see delivenrance 1 in aaa server----&gt; Drag it to "Forward to" ---&gt;And whatever is there under forward to ---&gt;Drag it to aaa-server--&gt;submit+apply.</P><P></P><P>It should work now.</P><P></P><P>If you don't see proxy distribution option then go to acs---&gt;interface configuration-----&gt;advanced option ----&gt;enable distributed table.</P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P></P></BODY></HTML> Sat, 17 May 2008 11:54:23 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019559#M396669 Jagdeep Gambhir 2008-05-17T11:54:23Z https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019560#M396670 <HTML><HEAD></HEAD><BODY><P>That did it!!</P><P></P><P>Thank you!</P><P></P><P>Darren</P></BODY></HTML> Mon, 19 May 2008 11:05:06 GMT https://community.cisco.com/t5/network-access-control/tacacs-authentication-errors/m-p/1019560#M396670 dguse 2008-05-19T11:05:06Z