Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
545
Views
0
Helpful
1
Replies

ACE doesn't send login request to TACACS+ on ACS unless user is configured locally

tadeo
Level 1
Level 1

‎11-05-2015 05:11 AM

Hello everybody,

     We are currently implementing a TACACS+ server on our network. All our devices had local users until this point. We encountered no problem configuring the AAA setups on most of our devices, but our ACEs have had an odd behavior:

     We debugged the packets comming out of the ACE, and found that if we have a user configured on the ACS, say for example "UserA", and that username is not configured on the ACE itself, the ACE never sends the authentication request to the ACS. Now, if we configure that username on the ACE, even with a different password, we see that when we try to login the request is correctly sent to the ACS, and we can use the password configured on the ACS correctly, so we know the TACACS user is configured correctly.

     How is it that we need to have the user created locally for it to work? Is this normal behaviour?

Thank you,

Regrads,

Tadeo

Labels:
0 Helpful
1 Reply 1

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎01-03-2016 11:54 AM

Hi Tadeo,

It seems it is necessary but i don't have an explanation for the same. Similar post below.

https://supportforums.cisco.com/discussion/10715386/tacacs-and-cisco-ace-load-balancers-authentication

I am not sure what purpose does that local user serve but you can point this to TAC and get an explanation from developers.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful
Customers Also Viewed These Support Documents