cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1210
Views
0
Helpful
2
Replies

TACACS+ Issue : Please help

abhisar patil
Level 1
Level 1

Dear All,

This is regarding Tacacs+. I have configured Tacacs+ on cisco switch, but it is taking local username and password

for authentication.

With below configuration on other switch, working fine with tacacs+ username and password, but not with

this switch.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_login local

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa session-id common

tacacs-server host 10.0.2.193 key 7 110A101614425A5E57

tacacs-server directed-request

username admin privilege 15 password ****

line vty 0 4

transport input ssh telnet

login authentication default

Also this switch is configured for intervlan routing, with following configuration and I have added 10.0.6.1 IP address in Cisco ACS.

interface Vlan5

ip address 10.0.0.1 255.255.255.0

!

interface Vlan20

ip address 10.0.2.1 255.255.255.0

ip helper-address 10.0.0.7

!

interface Vlan60

ip address 10.0.6.1 255.255.255.0

REFLXIS_PUNCORE#show tacacs

Tacacs+ Server            : 10.0.2.193/49

              Socket opens:         33

             Socket closes:         33

             Socket aborts:          0

             Socket errors:          0

           Socket Timeouts:          0

   Failed Connect Attempts:          0

        Total Packets Sent:         33

        Total Packets Recv:          0

So please help on the same.

1 Accepted Solution

Accepted Solutions

mavespig
Level 3
Level 3

Hello Abhisar,

the server IP address 10.0.2.193 is reachable via Vlan 20.

Therefore, the switch will try to establish the connection with the server using Vlan20's IP address, 10.0.2.1.

You can fix this in two ways:

1. change the configuration on Tacacs server to have an entry with 10.0.2.1 instead of 10.0.6.1.

or

2. change the configuration on the switch, adding "ip tacacs-server source-interface vlan 60"

Please rate the post if helpful

Marco

View solution in original post

2 Replies 2

mavespig
Level 3
Level 3

Hello Abhisar,

the server IP address 10.0.2.193 is reachable via Vlan 20.

Therefore, the switch will try to establish the connection with the server using Vlan20's IP address, 10.0.2.1.

You can fix this in two ways:

1. change the configuration on Tacacs server to have an entry with 10.0.2.1 instead of 10.0.6.1.

or

2. change the configuration on the switch, adding "ip tacacs-server source-interface vlan 60"

Please rate the post if helpful

Marco

Thanks Marco for your help..

Its working now..:-) and also satisfied with your justification.

Abhisar.