Showing results for 
Search instead for 
Did you mean: 

AAA TACACS Authentication issue with ACS and Switch


Hi All,

Facing  one  issue  for the new switch  installed and trying to authenticated vty access through acs version.


On switch configuration below

debug logs says this and i could see that there is no response coming from acs server and seems acs is having some issue.let me know if you see any issue on the switch side configuration. same configuration ,same model and IOS  for other switch is working fine .switch rebooted and aaa new model was reconfigured already.appreciate inputs about if anybody faced the similar issue .I am suspecting issue on the acs side and thought to reboot it however need to know if anybody exp. this kind of behavior earlier.

The things is ACS is still showing aaa unknown client although configured in the device and aaa client in network device group!

Pls find more details below of switch and acs logs. PS:no issues with port 49 to telnet from switch and readability with source interface basics checks are already done .


on switch:

#show tacacs

Tacacs+ Server -  public  :
            Server address: 128.1.X>X
               Server port: 49
              Socket opens:         30
             Socket closes:         30
             Socket aborts:          0
             Socket errors:          0
           Socket Timeouts:          0
   Failed Connect Attempts:          0
        Total Packets Sent:         30
        Total Packets Recv:          0



SW1#test aaa group tacacs+ test test123  legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.


TAC+: send AUTHEN/START packet ver=192 id=1940690190
TAC+: Using default tacacs server-group "tacacs+" list.
 TAC+: Opening TCP/IP to timeout=10
TAC+: Opened TCP/IP handle 0x42E38AC to using source
TAC+: periodic timer started
TAC+: req=4566BEC Qd id=1940690190 ver=192 handle=0x42E38AC expire=10 AUTHEN/START/LOGIN/ASCII queued
 TAC+: (1940690190) AUTHEN/START/LOGIN/ASCII queued
 TAC+: id=1940690190 wrote 26 of 26 bytes
 TAC+: req=4566BEC Qd id=1940690190 ver=192 handle=0x42E38AC expire=9 AUTHEN/START/LOGIN/ASCII sent
TAC+: req=4566BEC Tx id=1940690190 ver=192 handle=0x42E38AC expire=9 AUTHEN/START/LOGIN/ASCII processed
TAC+: (1940690190) AUTHEN/START/LOGIN/ASCII processed
TAC+: periodic timer stopped (queue empty)
TAC+: received bad AUTHEN packet: type = 0, expected 1
TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys). -----keys are OK on both the side
TAC+: Closing TCP/IP 0x42E38AC connection to
TAC+: Using default tacacs server-group "tacacs+" list.

%TAC+: no address for get_server


ON ACS auth. logs below (PS: there is no NAT device in between however acs is recognizing the client IP somehow!) ALSO location,identity group etc has been checked already

A TACACS+ packet was received with a source IP Address that did not match any configured Network Device or AAA Client


Related configuration for aaa on the switch is below


username test  privilege 15  password xxxx

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local

interface Vlan200
 ip address
ip default-gateway
ip http server
ip http secure-server
ip tacacs source-interface Vlan200
tacacs-server host 128.1.x.x timeout 10

line vty 0 4
 exec-timeout 5 0

logining auth default

trasnsport input telnet



1 Reply 1


If anybody has  any thoughts on above ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: