hn_zxgcisco,
I would like to add that ACS 5.3 and later doesn't support tacacs + authorization and I've recently filed a defect on the same to be supported. The defect will be fixed in ACS 5.6.0.5 so don't upgrade now. Either use IOS 15.0 or radius.
Here is a defect for your reference:
CSCun82456 ACS 5.x does not support TAC+ authorization Service 0x1a (Auth-Proxy ip)
<B>Symptom:</B>
ACS 5.x does not support TACACS+ authorization Service 0x1a (Auth-Proxy ip)
<B>Conditions:</B>
ACS 5.x rejects the authorization packet stating "13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets".
Authorizing Auth-Proxy on IOS 15.1 or above using TACACS+ to ACS 5.x
<B>Workaround:</B>
Configure Auth-Proxy to use the Radius protocol.
<B>Further Problem Description:</B>
NOTE: The only thing that is supported by ACS 5.3 patch 5 is authentication and alone authentication would not solve the purpose.
Reason why authorization is not supported with ISO 15.1 and later.
IOS changed the Authorization service used for Auth-Proxy in IOS 15.x from 0x1 (auth-proxy) to 0x1a (auth-Proxy ip). IOS 15.0 sets the service as 0x01 and 15.1(4)M7 sets the Service as 0x1a. Per captures ACS does not know what service 26 is and drops the request with a below listed error message: "13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets".
Auth-Proxy using TACACS+ now fails the authorization packet against ACS 5.x because 0x1a is not a supported service. Before this fis is resolved , 0x1a Auth-Proxy service is supported only in the authentication flow in ACS 5.x and this was addressed in CSCtx12249.
Regards,
Jatin Katyal
** Do rate helpful posts**
~Jatin
