Yes, I'm using tacacs+

Follow bellow the tacacs configuration from my switch:

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login no_tacacs enable

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login no_tacacs enable

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

So I assume that ACS has been set up correctly to allow authentication? Can you confirm this please or show us the configurations made in ACS to allow aaa to work.

Sent from Cisco Technical Support iPhone App

Yes, the ACS is configured correctly. The username and password that I set up there can authenticate with any device in my environment through telnet or ssh.

Hello,

I would configure like this:

aaa new-model

!

aaa group server tacacs+ TACACS+

server x.x.x.x

server x.x.x.x

!

aaa authentication login TACACS+ group tacacs+ group radius local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

tacacs-server host x.x.x.x

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key 7 XXXXXXXXXXXXX

Where the tacacs-server key is the AAA key specified in ACS

!

line vty 0 4

login authentication TACACS+

line vty 5 15

password 7 XXXXXXXXXXXXXX

login authentication FOS_TACACS+

This is only the 6500 configuration, The ACE is a bit different and more complex in ACS as the shell profile needs to be tweaked to get it working.

Lets just get tacacs working on the switch for now...

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

I tried this configuration on the switch but it doesn't work.

I getting the same error in the ANM software as show above. The message is about a problem with authentication credentials. I have applied the configuration that you told me on the switch, the same username that I set up in the ACS and ANM works fine through telnet with this config.

So I think I understand, TACACS+ is working for the 6500 and the ACE module, but its not working for the ANM...?

If so, this document might be able to help you:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/5.2/user/guide/UG_admin.html

Best regards

Please rate useful posts and remember to mark any solved questions as answered. Thank you.