04-13-2012 08:14 AM - edited 03-10-2019 07:00 PM
TACACS+ configured on router and router is in ACS. I can ping the ACS but the router cannot establish a connection to authenticate users.
aaa group server tacacs+ hq_acs-1
server 10.20.17.2
ip tacacs source-interface GigabitEthernet0/0
!
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 10 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting nested
aaa accounting update newinfo periodic 60
aaa accounting auth-proxy default start-stop group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting resource default start-stop group tacacs+
BigTree_3945#sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.4.3.1 YES NVRAM down down
GigabitEthernet0/1 10.12.10.26 YES NVRAM up up
Serial0/2/0 unassigned YES NVRAM down down
Serial0/2/0.602 10.12.15.10 YES NVRAM down down
Apr 13 11:08:13.673: TPLUS: Queuing AAA Authentication request 79 for processing
Apr 13 11:08:13.673: TPLUS: processing authentication start request id 79
Apr 13 11:08:13.675: TPLUS: Authentication start packet created for 79(cisscdb)
Apr 13 11:08:13.675: TPLUS: Using server 10.20.17.2
Apr 13 11:08:13.675: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: Started 5 sec timeout
Apr 13 11:08:18.676: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out
Apr 13 11:08:18.676: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out, clean up
Apr 13 11:08:18.676: TPLUS(0000004F)/0/1BDD9C34: Processing the reply packet
Apr 13 11:08:25.834: TPLUS: Queuing AAA Authentication request 79 for processing
Apr 13 11:08:25.834: TPLUS: processing authentication start request id 79
Apr 13 11:08:25.834: TPLUS: Authentication start packet created for 79(cisscdb)
Apr 13 11:08:25.834: TPLUS: Using server 10.20.17.2
Apr 13 11:08:25.834: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: Started 5 sec timeout
Apr 13 11:08:30.836: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out
Apr 13 11:08:30.836: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out, clean up
Apr 13 11:08:30.836: TPLUS(0000004F)/0/1BDD9C34: Processing the reply packet
Apr 13 11:08:43.689: TAC: Using default tacacs server-group "tacacs" list.
Apr 13 11:08:43.689: TAC+: Opening TCP/IP to 10.20.17.2/49 timeout=5
Apr 13 11:08:51.057: TPLUS: Queuing AAA Authentication request 79 for processing
Apr 13 11:08:51.057: TPLUS: processing authentication start request id 79
Apr 13 11:08:51.057: TPLUS: Authentication start packet created for 79(cisscdb)
Apr 13 11:08:51.057: TPLUS: Using server 10.20.17.2
Apr 13 11:08:51.057: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: Started 5 sec timeout
Apr 13 11:08:54.692: TAC+: TCP/IP open to 10.20.17.2/49 failed -- Connection timed out; remote host not responding
Apr 13 11:08:54.692: TPLUS: Queuing AAA Accounting request 76 for processing
Apr 13 11:08:54.692: TPLUS: processing accounting request id 76
Apr 13 11:08:54.692: TPLUS: Sending AV task_id=332
Apr 13 11:08:54.692: TPLUS: Sending AV timezone=EDT
Apr 13 11:08:54.692: TPLUS: Sending AV service=shell
Apr 13 11:08:54.692: TPLUS: Sending AV start_time=1334329734
Apr 13 11:08:54.692: TPLUS: Sending AV priv-lvl=15
Apr 13 11:08:54.692: TPLUS: Sending AV cmd=show logging <cr>
Apr 13 11:08:54.692: TPLUS: Accounting request created for 76(n20j03t)
Apr 13 11:08:54.692: TPLUS: Using server 10.20.17.2
Apr 13 11:08:54.692: TPLUS(0000004C)/1/NB_WAIT/20FD90EC: Started 5 sec timeout
Apr 13 11:08:56.058: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out
Apr 13 11:08:56.058: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out, clean up
Apr 13 11:08:56.058: TPLUS(0000004F)/0/1BDD9C34: Processing the reply packet
Apr 13 11:08:59.693: TPLUS(0000004C)/1/NB_WAIT/20FD90EC: timed out
Apr 13 11:08:59.693: TPLUS(0000004C)/1/NB_WAIT/20FD90EC: timed out, clean up
Apr 13 11:08:59.693: TPLUS(0000004C)/1/20FD90EC: Processing the reply packet
BigTree_3945#
AAA Client IP Address | |||
Key | |||
Network Device Group | |||
Authenticate Using | |||
|
The 10.12.10.* range is listed under the HQ site.
Your help is greatly appreciated.
Solved! Go to Solution.
04-15-2012 09:35 AM
You stated that you can ping ACS from the router, did you try sourcing the packets from the GigabitEthernet 0/0 interface (which is the one TACACS+ will try to use, given the configuration that you posted)?
What does the network path between the router and ACS look like (ie, any firewalls, NAT, etc)?
Can you connect to port 49 at the ACS IP address from the router sourcing the packets from GigabitEthernet 0/0 ?
Are you using VRFs?
What version of IOS?
04-15-2012 09:35 AM
You stated that you can ping ACS from the router, did you try sourcing the packets from the GigabitEthernet 0/0 interface (which is the one TACACS+ will try to use, given the configuration that you posted)?
What does the network path between the router and ACS look like (ie, any firewalls, NAT, etc)?
Can you connect to port 49 at the ACS IP address from the router sourcing the packets from GigabitEthernet 0/0 ?
Are you using VRFs?
What version of IOS?
04-16-2012 05:38 AM
It was the source interface, I changed to one that was up and it works now. Not sure why that is, i deployed another router to a different with the same config and it works with the interface in a down state..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide