04-01-2003 11:21 AM - edited 03-10-2019 07:14 AM
Tacacs authentication doesn't work after passing thru GRE tunnel with Crypto map.
04-01-2003 04:45 PM
We need more information than that please if we're going to help you.
What version of router code on both sides? Can you ping to the TACACS server over the tunnel with all different sizes of packets (up to and including 1500bytes)? What does the log on the ACS server say, anything in Failed Attempts or Passed Authentications? Are you sure you're sourcing the TACACS packets from the same interface as the IP address you have entered in as the NAS on the ACS server (check for Unknown NAS errors in the Failed Attempts log)?
04-02-2003 08:24 AM
OK - here is some more info:
router versions local 12.2(6b) remote 12.2(5d)
Ping sweep min to max OK
ACS message "Unknown NAS"
Source address is serial int of remote router in ACS device config
debug aaa on remote router shows a TAC+ send authen/start
then it has status "error" - then drops to line authentication
Thanks...
04-02-2003 05:20 PM
OK, thanks.
If you're getting Unknown NAS in ACS, then the TACACS packet is being sourced with a different router address than what you entered in ACS for that NAS. You should be able to see what address the router is using by looking at the Unknown NAS error message. you can either then add that address is for the NAS, or use the "ip tacacs source-interface ..." command to specify what address the router uses.
04-03-2003 08:15 AM
The "ip tacacs source-interface" resolved the issue...
04-23-2008 06:28 PM
I had a similar problem where the router was on the end of a GRE tunnel and could ping the ACS (tacacs) server but could not use it for authentication. The "ip tacacs source-interface" command resolved my problem.
Cheers,
Ben.
04-27-2008 12:11 PM
Hello All, [Pls Rate if HELPS]
In addition,
Normally in the CRYPTO Configuration the Crypto Sessions will be formed with some Private Loopback available in the Configuration.
Since the TACACS Server will be in the same domain, so the "ip tacacs source-interface" command solved the problem of Urs.
The Crypto Originating LOCAL Interface at SPOKE Location, should be normally used for tacacs Source Interface in a general scenario.
Hope I am Informative.
Pls Rate if HELPS
Best Regards,
Guru Prasad R
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide