04-21-2009 11:32 AM - edited 03-10-2019 04:27 PM
my AAA commands;
aaa new-model
aaa authentication login default group tacacs enable
aaa authorization exec default group tacacs none
aaa accounting connection default start-stop group tacacs
aaa session-id common
tacacs-server host [server address]
tacacs-server key [key]
ip tacacs source-interface fast 0
and the debug for authentication and tacacs;
00:08:50: AAA/AUTHEN/LOGIN (00000007): Pick method list 'default'
00:08:50: TPLUS: Queuing AAA Authentication request 7 for processing
00:08:50: TPLUS: processing authentication start request id 7
00:08:50: TPLUS: Authentication start packet created for 7()
00:08:50: TPLUS: Using server 201.0.99.97
Password:
00:08:55: TPLUS(00000007): Select Timed out
00:08:55: AAA/AUTHEN/ENABLE(00000007): Processing request action LOGIN
00:08:55: AAA/AUTHEN/ENABLE(00000007): Done status GET_PASSWORD
Nacogdoches>
00:08:59: AAA/AUTHEN/ENABLE(00000007): Processing request action LOGIN
00:08:59: AAA/AUTHEN/ENABLE(00000007): Done status PASS
I can ping the tacacs server from the router. This set of commands does work for the 1841's that I'm using.
04-30-2009 01:29 PM
Richard
Could you post the route map nonat and any access list that it references. And if the address of the loopback is in any of those could you point it out?
HTH
Rick
05-01-2009 08:24 AM
I changed the tacacs source to fastethernet0 just for testing, here is the ACL and the route-map nonat
access-list 120 permit ip 201.0.98.0 0.0.0.255 200.0.1.0 0.0.0.255
access-list 120 permit ip 201.0.98.0 0.0.0.255 200.0.2.0 0.0.0.255
access-list 120 permit ip 201.0.98.0 0.0.0.255 200.0.16.0 0.0.0.255
access-list 120 permit ip 201.0.98.0 0.0.0.255 201.0.0.0 0.0.0.255
access-list 120 permit ip 201.0.98.0 0.0.0.255 201.0.99.0 0.0.0.255
access-list 130 deny ip 201.0.98.0 0.0.0.255 200.0.1.0 0.0.0.255
access-list 130 deny ip 201.0.98.0 0.0.0.255 200.0.2.0 0.0.0.255
access-list 130 deny ip 201.0.98.0 0.0.0.255 200.0.16.0 0.0.0.255
access-list 130 deny ip 201.0.98.0 0.0.0.255 201.0.0.0 0.0.0.255
access-list 130 deny ip 201.0.98.0 0.0.0.255 201.0.99.0 0.0.0.255
access-list 130 permit ip 201.0.98.0 0.0.0.255 any
no cdp run
!
route-map nonat permit 10
match ip address 130
05-02-2009 07:30 AM
Richard
We need at least one more set of information to sort out the potential NAT issue. Can you post the output of show ip interface brief?
This post indicates that you changed the tacacs source to fastethernet0. Did you change the tacacs configuration to use that IP address? And does tacacs work with this address configured?
HTH
Rick
05-04-2009 07:34 AM
Here is the output you wanted;
Nacogdoches#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0 207.16.131.100 YES NVRAM up up
Ethernet1 unassigned YES NVRAM up down
FastEthernet0 201.0.98.1 YES NVRAM up up
Loopback0 unassigned YES NVRAM up up
I changed the source interface to fast0 to see if it made a difference, it does not seem to change anything. I can still run;
ping 12.116.125.178 and get 5/5
05-04-2009 08:09 AM
Richard
Several of your posts have described using loopback0 as the source. But the output in this post shows that loopback0 has no IP address. What is going on?
And what does ping 12.116.125.178 have to do with access to your TACACS server?
HTH
Rick
05-04-2009 10:43 AM
Thats correct, I'm sorry for the confusion; I started out using Loopback0 as the tacacs source. I changed it to Fastethernet0 to test with. I'll be changing the source back to Loopback0 before I deploy the router.
12.116.125.178 is my tacacs server, again I didnt provide the needed detail, sorry about that.
05-04-2009 11:20 AM
Richard
If your tacacs server is 12.116.125.178 then why does the debug output from several of your posts consistently indicate that the server is at a different address:
02:11:04: TPLUS: Using server 201.0.99.97
HTH
Rick
05-04-2009 12:41 PM
12.116.125.178 is my host router, the IP of the acs box is the 201.0.99.97 address. 201.0.99.97 is a network address, not a real world IP. The real world IP of the ACS server is 207.16.131.97
I have changed the source interface back to Loopback0, and migrated the address information over as well.
05-08-2009 11:40 AM
well I stuck radius in place of tacacs and it works like a champ..mostly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide