CSS and TACACS+

rustamovea · ‎02-03-2010

I am configuring Cisco CSS as a TACACS client. The state is Alive, but i still can't login CSS through TACACS+ authorization.

The TACACS side should be OK, because several cisco switches were added successfully.

My config:

virtual authentication primary tacacs

virtual authentication secondary local

tacacs-server 10.0.100.198 49 5 "key" primary

CSS11503# sh tacacs-server

Per-Server Status:

IP/Port State Primary Authen. Author. Account

------- ----- ------- ------- ------- ------

10.0.100.198:49 Alive Yes 14 0 0

Totals: 14 0 0

Per-Server Configuration:

IP/Port Key Server Timeout Server Frequency

------- --- -------------- ----------------

10.0.100.198:49 Configured 5 None

Global Configuration Parameters:

Global Timeout: 5

Global KAL Frequency: 5

Global Key: Not Configured

Authorize Config Commands: No

Authorize Non-Config Commands: No

Account Config Commands: No

Account Non-Config Commands: No

Send Full Command: Yes

Any advice would much appreciate !

rustamovea · ‎02-04-2010

Debug output:

FEB 3 05:24:18 1/1 5374 SECURITY-7: SECMGR:SecurityAuth:Request from 0x00004b33

FEB 3 05:24:18 1/1 5375 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary

FEB 3 05:24:18 1/1 5376 SECURITY-7: Security Manager sending success 0 reply to caller 1c01

FEB 3 05:24:18 1/1 5377 SECURITY-7: SECMGR:SecurityMgrProc:Try Done, Send 0x00004b33

FEB 3 05:24:23 1/1 5378 SECURITY-7: SECMGR:SecurityAuth:Request from 0x00004b35

FEB 3 05:24:23 1/1 5379 SECURITY-7: SECMGR:SecurityMgrProc:Try Primary

FEB 3 05:24:23 1/1 5380 SECURITY-7: Security Manager sending success 0 reply to caller 1c01