Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
883
Views
0
Helpful
1
Replies

ACS Express Tacacs+ authentication issues

J_Vansen_S
Level 3
Level 3

‎08-24-2010 12:05 AM - edited ‎03-10-2019 05:21 PM

hi All,

I am trying to do a simple switch TACACS+ authentication via the ACS Express.

ACS Express - 5.0

IP address (172.16.4.10)

Core Switch - Catalyst 4948

vlan 1 (192.100.100.1)

vlan 10 (172.16.4.1)

Access Switch - Catalyst 3560

vlan 1 (192.100.100.2)


Problem statement:

On ACS Express:

-core switch device is being created using the ip 192.100.100.1

-access switch device is being creted using ip 192.100.100.2

Unfortunately i am unable to authenticate. It shows authentication failed when i tried to login to both core & access switches.

-Tried to change the core switch device ip to 172.16.4.1, it seems to work - when i telnet to both 172.16.4.1 & 192.100.100.1

*suspect*

- ACS Express seems to ONLY understands device that belongs to its own subnet i.e 172.16.4.0 /24 network.

- Ip routing has been enabled on core switch and both 192 & 172 network are pingable


Below is the TACACS config on both core & access switch

aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ none
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+

!

tacacs-server host 172.16.4.10
tacacs-server directed-request
tacacs-server key 1234567

Did i miss out any major config~?

It seems failproof to me but cant understand why it is not accessible via diff subnet 192.100.100.x ip

PLease advice

Jocelyn

Labels:
0 Helpful
1 Reply 1

ighoisgreat
Level 1
Level 1

‎08-24-2010 12:59 AM

can you ping your acs from the core device when the IP are still as they were initially? If you can't then?

I suppose your acs is connected to you access switch:

my configs would be?

ACS Express - 5.0

IP address (172.16.4.10)   connected to fa0/1 on access switch

Access Switch - Catalyst 3560

interface vlan 11 (192.100.100.2)

interface fa0/1 : switchport access vlan 10

                       switchpor mo access

interface fa0/23: switchport mode truk

                        switchport trun encap dot1q

interface vlan 10 : 172.16.4.11

Core Switch - Catalyst 4948

interface vlan 11 (192.100.100.1)

interface vlan 10 (172.16.4.1)

interface fa0/23 : switchport mode trunk

                         switchport trunk encap dot1q

router rip

ver 2

no aut

net vlan 11

net vlan 10

NOTE: I decided not to use vlan 1 so that all unknown traffic still flows through vlan 1.

I hope this helps.

0 Helpful
Customers Also Viewed These Support Documents