https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414639#M404961 <HTML><HEAD></HEAD><BODY><P>You have configured the default authentication method to use TACACS+ with a fallback of line password.</P><P><BR />Since you are being prompted for the line password, it appears that the router can't contact the TACACS+ server.</P><P></P><P>Please enable these debugs, recreate the problem and show us the output:</P><P></P><P>debug aaa authentication</P><P>debug tacacs</P><P></P><P>You will also want to make sure that you can reach the TACACS+ server when sourcing packets from VLAN 4.</P></BODY></HTML> Tue, 16 Mar 2010 15:02:40 GMT Javier Henderson 2010-03-16T15:02:40Z https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414638#M404959 <P>Hi,</P><P>I've been configured my device 6506-9 with TACACS+ server authentication:</P><P></P><P>enable password 7 1414131F5C542638<BR />aaa new-model<BR /><STRONG>aaa authentication login default group tacacs+ line</STRONG><BR />aaa authentication login no_tacacs enable<BR />aaa authentication ppp default group tacacs+<BR />aaa authorization exec default group tacacs+ if-authenticated none <BR />aaa authorization network default group tacacs+ <BR />aaa accounting update newinfo<BR />aaa accounting exec default start-stop group tacacs+<BR />aaa accounting commands 15 default start-stop group tacacs+<BR />aaa accounting network default start-stop group tacacs+<BR />aaa session-id common</P><P>!</P><P>ip tacacs source-interface Vlan4</P><P>!</P><P>tacacs-server host 10.4.X.X key 7 1 044A1E030D345F4D080A554745<BR />tacacs-server directed-request<BR />tacacs-server key 7 12081012101E1F072B3874786475<BR />!</P><P>interface Vlan4<BR /> description Servers<BR /> ip address 10.4.X.X 255.255.0.0<BR /> no ip redirects<BR /> standby 1 ip 10.4.X.X</P><P>!</P><P></P><P>but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E</P><P></P><P></P><P>device#&nbsp; telnet 10.1.1.3<BR />Trying 10.1.1.3 ... Open</P><P></P><P><BR />User Access Verification</P><P></P><P>Password:</P><P></P><P></P><P>Thanks!</P> Mon, 11 Mar 2019 00:00:32 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414638#M404959 sdurn 2019-03-11T00:00:32Z https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414639#M404961 <HTML><HEAD></HEAD><BODY><P>You have configured the default authentication method to use TACACS+ with a fallback of line password.</P><P><BR />Since you are being prompted for the line password, it appears that the router can't contact the TACACS+ server.</P><P></P><P>Please enable these debugs, recreate the problem and show us the output:</P><P></P><P>debug aaa authentication</P><P>debug tacacs</P><P></P><P>You will also want to make sure that you can reach the TACACS+ server when sourcing packets from VLAN 4.</P></BODY></HTML> Tue, 16 Mar 2010 15:02:40 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414639#M404961 Javier Henderson 2010-03-16T15:02:40Z https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414640#M404963 <HTML><HEAD></HEAD><BODY><P><SPAN class="medium_text" id="result_box"><SPAN style="background-color: #ffffff;" title="hola,">Hi,<BR /></SPAN><SPAN style="background-color: #ffffff;" title="desde los 2 Cat6509&nbsp; que forman el CORE de la red puedo hacer ping al servidor TACACS (desde&nbsp; el resto de equipos de red me funciona la configuración del TACACs sin&nbsp; problema)">from 2 Cat6509 that form the core of the network, I can ping the TACACS&nbsp; server (from other network equipment, TACACS works without&nbsp; problems)</SPAN></SPAN><SPAN class="long_text" id="result_box"><SPAN style="background-color: #ffffff;" title="hola,"></SPAN><SPAN style="background-color: #ffffff;" title="desde los dos 6509&nbsp; llego al servidor TACACs por ping (por la vlan 4):">:<BR /></SPAN><SPAN style="background-color: #ffffff;" title="CORE1#ping&nbsp; 10.4.2.33"></SPAN></SPAN></P><P></P><P><SPAN class="long_text" id="result_box"><SPAN style="background-color: #ffffff;" title="CORE1#ping&nbsp; 10.4.2.33">Core1 # ping 10.4.2.33<BR /></SPAN><SPAN style="background-color: #ffffff;" title="Type escape&nbsp; sequence to abort.">Type escape sequence to abort.<BR /></SPAN><SPAN style="background-color: #ffffff;" title="Sending 5, 100-byte&nbsp; ICMP Echos to 10.4.2.33, timeout is 2 seconds:">Sending 5, 100-byte&nbsp; ICMP Echos to 10.4.2.33, timeout is 2 seconds:<BR /></SPAN><SPAN title="!!!!!">!!!!!<BR /></SPAN><SPAN title="Success rate is 100 percent&nbsp; (5/5), round-trip min/avg/max = 1/1/4 ms">Success rate is 100 percent (5&nbsp; / 5), round-trip min / avg / max = 1/1/4 ms<BR /></SPAN><SPAN title="CORE1#ping"></SPAN></SPAN></P><P></P><P><SPAN class="long_text" id="result_box"><SPAN title="CORE1#ping">Core1 # ping<BR /></SPAN><SPAN title="Protocol [ip]:">Protocol&nbsp; [ip]:<BR /></SPAN><SPAN title="Target IP address: 10.4.2.33">Target IP&nbsp; address: 10.4.2.33<BR /></SPAN><SPAN style="background-color: #ffffff;" title="Repeat count [5]:">Repeat count [5]:<BR /></SPAN><SPAN title="Datagram size [100]:">Datagram size [100]:<BR /></SPAN><SPAN title="Timeout in seconds [2]:">Timeout in seconds [2]:<BR /></SPAN><SPAN title="Extended commands [n]: y">Extended commands [n]: y<BR /></SPAN><SPAN title="Source address or interface: 10.4.1.253">Source address or&nbsp; interface: 10.4.1.253<BR /></SPAN><SPAN title="Type of service [0]:">Type&nbsp; of service [0]:<BR /></SPAN><SPAN title="Set DF bit in IP header?">September&nbsp; DF bit in IP header? </SPAN><SPAN title="[no]:">[no]:<BR /></SPAN><SPAN title="Validate reply data?">Validate reply data? </SPAN><SPAN title="[no]:">[no]:<BR /></SPAN><SPAN title="Data pattern [0xABCD]:">Data&nbsp; pattern [0xABCD]:<BR /></SPAN><SPAN title="Loose, Strict, Record,&nbsp; Timestamp, Verbose[none]:">Loose, Strict, Record, Timestamp, Verbose&nbsp; [none]:<BR /></SPAN><SPAN title="Sweep range of sizes [n]:">Sweep range of&nbsp; sizes [n]:<BR /></SPAN><SPAN title="Type escape sequence to abort.">Type&nbsp; escape sequence to abort.<BR /></SPAN><SPAN title="Sending 5, 100-byte&nbsp; ICMP Echos to 10.4.2.33, timeout is 2 seconds:">Sending 5, 100-byte ICMP&nbsp; Echos to 10.4.2.33, timeout is 2 seconds:<BR /></SPAN><SPAN title="Packet&nbsp; sent with a source address of 10.4.1.253">Packet sent with a source&nbsp; address of 10.4.1.253<BR /></SPAN><SPAN title="!!!!!">!!!!!<BR /></SPAN><SPAN title="Success rate is 100 percent (5/5), round-trip min/avg/max =&nbsp; 1/1/4 ms">Success rate is 100 percent (5 / 5), round-trip min / avg /&nbsp; max = 1/1/4 ms<BR /><BR /></SPAN><SPAN style="background-color: #ffffff;" title="He hecho el debug que me has recomendado (archivo&nbsp; adjunto).">I completed the debugging that you've recommended (attached file).<BR /><BR /></SPAN><SPAN title="Muchas gracias por tu respuesta.">Thank you very much for your&nbsp; reply.</SPAN></SPAN></P></BODY></HTML> Mon, 22 Mar 2010 17:31:08 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414640#M404963 sdurn 2010-03-22T17:31:08Z https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414641#M404968 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-family: verdana,geneva; color: #0000ff;">Make sure ACS have IP address of VLAN 4 listed under aaa-clients.</SPAN></P><P><SPAN style="font-family: verdana,geneva; color: #0000ff;"><BR /></SPAN></P><P><SPAN style="font-family: verdana,geneva; color: #0000ff;"><BR /></SPAN></P><P><SPAN style="font-family: verdana,geneva; color: #0000ff;">Regards,</SPAN></P><P><SPAN style="font-family: verdana,geneva; color: #0000ff;">~JG</SPAN></P></BODY></HTML> Mon, 22 Mar 2010 18:09:57 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414641#M404968 Jagdeep Gambhir 2010-03-22T18:09:57Z https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414642#M404971 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P><SPAN class="long_text" id="result_box"><SPAN style="background-color: #ffffff;" title="La IP de gestión de todos los equipos de red&nbsp; está en la vlan1 con rango de IPs: 10.1.XX/16">The IP management of all&nbsp; network equipment is in vlan1 with IP range: 10.1.XX/16<BR /></SPAN><SPAN style="background-color: #ffffff;" title="La IP del servidor&nbsp; TACACs está en la vlan 4 con direccionamiento 10.4.XX/16.">The TACACS&nbsp; server IP is on VLAN 4 with addressing 10.4.XX/16.<BR /></SPAN><SPAN style="background-color: #ffffff;" title="En el servidor&nbsp; TACACs está definido todo el rando de la Vlan1 para que se autentique,&nbsp; todos los equipos de red lo hacen excepto los equipos de CORE (cat6509)"></SPAN></SPAN><SPAN class="long_text" id="result_box"><SPAN style="background-color: #ffffff;" title="En el servidor TACACs está permitido todo el&nbsp; rango de la Vlan1 para que se autentique, todos los equipos de red lo&nbsp; hacen excepto los equipos de CORE (cat6509)">In the TACACS server is&nbsp; allowed the full range of VLAN1 to authenticate, </SPAN></SPAN><SPAN class="long_text" id="result_box"><SPAN title="En el servidor&nbsp; TACACs está permitido todo el rango de la Vlan1 para que se autentique,&nbsp; todos los equipos de red lo hacen correctamente excepto los equipos de&nbsp; CORE (cat6509)">and all network equipment properly do, except the CORE devices...(Cat6509)</SPAN></SPAN></P><P></P><P>Thanks!</P></BODY></HTML> Tue, 23 Mar 2010 10:06:58 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414642#M404971 sdurn 2010-03-23T10:06:58Z https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414643#M404977 <HTML><HEAD></HEAD><BODY><P>In the debug output we see:</P><P></P><P>Mar 22 17:14:58: TPLUS(00000061)/0/NB_WAIT/524FDA08: Started 5 sec timeout<BR />Mar 22 17:14:58: TPLUS(00000061)/0/NB_WAIT: socket event 2<BR />Mar 22 17:14:58: TPLUS(00000061)/0/NB_WAIT: wrote entire 51 bytes request<BR />Mar 22 17:14:58: TPLUS(00000061)/0/READ: socket event 1<BR />Mar 22 17:14:58: TPLUS(00000061)/0/READ: Would block while reading<BR />Mar 22 17:14:58: TPLUS(00000061)/0/READ: socket event 1<BR />Mar 22 17:14:58: TPLUS(00000061)/0/READ: errno 254<BR />Mar 22 17:14:58: TPLUS(00000061)/0/524FDA08: Processing the reply packet</P><P></P><P>That suggests a mismatched TACACS+ shared secret, please check into this.</P></BODY></HTML> Tue, 23 Mar 2010 14:16:00 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414643#M404977 Javier Henderson 2010-03-23T14:16:00Z https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414644#M404981 <HTML><HEAD></HEAD><BODY><P> I, too, am having issue.</P><P></P><P>Solutions attempted, but still failed:</P><P>1. entered tacacs key again</P><P>2. restarted Cisco ACS 5.2 server</P><P>3. added "ip tacacs source-interface" command</P><P></P><P>Here's the original post I created.&nbsp; I didnt know what to search originally, so created a separate topic/thread.</P><P><A _jive_internal="true" href="https://community.cisco.com/thread/2203407">https://supportforums.cisco.com/thread/2203407</A></P><P></P><P>Thank you,</P><P>Adam</P></BODY></HTML> Wed, 17 Apr 2013 21:15:12 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-tacacs-failed/m-p/1414644#M404981 dynamitec1 2013-04-17T21:15:12Z