08-12-2011 12:03 AM - edited 03-10-2019 06:18 PM
Dear All,
This is regarding Tacacs+. I have configured Tacacs+ on cisco switch, but it is taking local username and password
for authentication.
With below configuration on other switch, working fine with tacacs+ username and password, but not with
this switch.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_login local
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common
tacacs-server host 10.0.2.193 key 7 110A101614425A5E57
tacacs-server directed-request
username admin privilege 15 password ****
line vty 0 4
transport input ssh telnet
login authentication default
Also this switch is configured for intervlan routing, with following configuration and I have added 10.0.6.1 IP address in Cisco ACS.
interface Vlan5
ip address 10.0.0.1 255.255.255.0
!
interface Vlan20
ip address 10.0.2.1 255.255.255.0
ip helper-address 10.0.0.7
!
interface Vlan60
ip address 10.0.6.1 255.255.255.0
REFLXIS_PUNCORE#show tacacs
Tacacs+ Server : 10.0.2.193/49
Socket opens: 33
Socket closes: 33
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 33
Total Packets Recv: 0
So please help on the same.
Solved! Go to Solution.
08-12-2011 04:49 AM
Hello Abhisar,
the server IP address 10.0.2.193 is reachable via Vlan 20.
Therefore, the switch will try to establish the connection with the server using Vlan20's IP address, 10.0.2.1.
You can fix this in two ways:
1. change the configuration on Tacacs server to have an entry with 10.0.2.1 instead of 10.0.6.1.
or
2. change the configuration on the switch, adding "ip tacacs-server source-interface vlan 60"
Please rate the post if helpful
Marco
08-12-2011 04:49 AM
Hello Abhisar,
the server IP address 10.0.2.193 is reachable via Vlan 20.
Therefore, the switch will try to establish the connection with the server using Vlan20's IP address, 10.0.2.1.
You can fix this in two ways:
1. change the configuration on Tacacs server to have an entry with 10.0.2.1 instead of 10.0.6.1.
or
2. change the configuration on the switch, adding "ip tacacs-server source-interface vlan 60"
Please rate the post if helpful
Marco
08-12-2011 05:13 AM
Thanks Marco for your help..
Its working now..:-) and also satisfied with your justification.
Abhisar.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide