https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122619#M438242 <HTML><HEAD></HEAD><BODY><P>OK - here is some more info:</P><P>router versions local 12.2(6b) remote 12.2(5d)</P><P>Ping sweep min to max OK</P><P>ACS message "Unknown NAS" </P><P>Source address is serial int of remote router in ACS device config</P><P>debug aaa on remote router shows a TAC+ send authen/start</P><P>then it has status "error" - then drops to line authentication</P><P>Thanks...</P><P></P><P></P></BODY></HTML> Wed, 02 Apr 2003 16:24:53 GMT awairlines 2003-04-02T16:24:53Z https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122617#M438240 <P>Tacacs authentication doesn't work after passing thru GRE tunnel with Crypto map.</P> Sun, 10 Mar 2019 14:14:07 GMT https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122617#M438240 awairlines 2019-03-10T14:14:07Z https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122618#M438241 <HTML><HEAD></HEAD><BODY><P>We need more information than that please if we're going to help you. </P><P></P><P>What version of router code on both sides? Can you ping to the TACACS server over the tunnel with all different sizes of packets (up to and including 1500bytes)? What does the log on the ACS server say, anything in Failed Attempts or Passed Authentications? Are you sure you're sourcing the TACACS packets from the same interface as the IP address you have entered in as the NAS on the ACS server (check for Unknown NAS errors in the Failed Attempts log)?</P></BODY></HTML> Wed, 02 Apr 2003 00:45:06 GMT https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122618#M438241 gfullage 2003-04-02T00:45:06Z https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122619#M438242 <HTML><HEAD></HEAD><BODY><P>OK - here is some more info:</P><P>router versions local 12.2(6b) remote 12.2(5d)</P><P>Ping sweep min to max OK</P><P>ACS message "Unknown NAS" </P><P>Source address is serial int of remote router in ACS device config</P><P>debug aaa on remote router shows a TAC+ send authen/start</P><P>then it has status "error" - then drops to line authentication</P><P>Thanks...</P><P></P><P></P></BODY></HTML> Wed, 02 Apr 2003 16:24:53 GMT https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122619#M438242 awairlines 2003-04-02T16:24:53Z https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122620#M438243 <HTML><HEAD></HEAD><BODY><P>OK, thanks. </P><P></P><P>If you're getting Unknown NAS in ACS, then the TACACS packet is being sourced with a different router address than what you entered in ACS for that NAS. You should be able to see what address the router is using by looking at the Unknown NAS error message. you can either then add that address is for the NAS, or use the "ip tacacs source-interface ..." command to specify what address the router uses.</P></BODY></HTML> Thu, 03 Apr 2003 01:20:03 GMT https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122620#M438243 gfullage 2003-04-03T01:20:03Z https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122621#M438244 <HTML><HEAD></HEAD><BODY><P>The "ip tacacs source-interface" resolved the issue...</P></BODY></HTML> Thu, 03 Apr 2003 16:15:23 GMT https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122621#M438244 awairlines 2003-04-03T16:15:23Z https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122622#M438245 <HTML><HEAD></HEAD><BODY><P>I had a similar problem where the router was on the end of a GRE tunnel and could ping the ACS (tacacs) server but could not use it for authentication. The "ip tacacs source-interface" command resolved my problem.</P><P></P><P>Cheers,</P><P>Ben.</P></BODY></HTML> Thu, 24 Apr 2008 01:28:31 GMT https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122622#M438245 ben_johnson 2008-04-24T01:28:31Z https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122623#M438246 <HTML><HEAD></HEAD><BODY><P>Hello All, [Pls Rate if HELPS]</P><P></P><P>In addition,</P><P></P><P>Normally in the CRYPTO Configuration the Crypto Sessions will be formed with some Private Loopback available in the Configuration.</P><P></P><P>Since the TACACS Server will be in the same domain, so the "ip tacacs source-interface" command solved the problem of Urs.</P><P></P><P>The Crypto Originating LOCAL Interface at SPOKE Location, should be normally used for tacacs Source Interface in a general scenario.</P><P></P><P>Hope I am Informative.</P><P></P><P>Pls Rate if HELPS</P><P></P><P>Best Regards,</P><P></P><P>Guru Prasad R</P></BODY></HTML> Sun, 27 Apr 2008 19:11:38 GMT https://community.cisco.com/t5/network-access-control/tacacs-and-gre-tunnel/m-p/122623#M438246 guruprasadr 2008-04-27T19:11:38Z