TACACS Authentication Stopped Working

jordan.white · ‎07-26-2011

We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building. Any suggestions on how i can get TACACS working again?

Waris Hussain · ‎07-26-2011

Hi,i

Is TACACS server cisco ACS ( if yes what is version )?

Can you ping TACACS server ?

Can you check teh preshared keys are same ?

Can you run debug tacacs authentication ? and see any thing ?

Thanks

Waris Hssain

jordan.white · ‎07-26-2011

The TACACS server is working fine. We have 50-60 other switches at our facility and all of them are working except for the 1. I do not have access to the TACACS server, however I can log into the switch. Is there anything on the switch side that I can check?

Waris Hussain · ‎07-26-2011

Hi ,

The only thing which you can check is the pr-shared key in this switch should be same as the one defined in TACACS. Also you can turn on debug tacacs authentication and try to login with tacacs account it will show you if the switch is getting a reject from Tacacs server or its timing out ?

Thanks

Waris Hussain

mavespig · ‎07-27-2011

I agree with Waris.

You can try the following:

- Check on ACS if you have an entry (IP address) for this switch, and retype a new key.

- Verify that the switch is pointing to the right ACS IP address, and reconfigure the new key.

- From the switch, try to telnet to ACS on port 49. You should be able to connect. This will confirm that you have rechability and that the port is not blocked.

- Enable "debug tacacs" and use "test aaa" command to send a request. Post here the debug logs and the configuration you have right now.

Hope this helps

Marco