Showing results for 
Search instead for 
Did you mean: 

Tacacs not working on C2960 running c2960-lanbasek9-mz.122-52.SE.bin


I have several 2960's running 12.2(5x)SE. I have tacacs configured exactly the same way and yet on a few, I can't get it to work. I feel that the switch is simply not sending out tacacs traffic. Here is some output for your digestion:

AAAAAA#sh run | i aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default none
aaa authorization exec default group tacacs+ if-authenticated 
aaa authorization commands 15 default local group tacacs+ 
aaa authorization network default local group tacacs+ 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

AAAAAA#sh run | i tacacs-
tacacs-server host x.191.0.130 key 7 XXXXXXXXXXXXXXXX
tacacs-server directed-request


CALGSISWDR01#sh tacacs

Tacacs+ Server            : x.191.0.130/49
              Socket opens:         49
             Socket closes:         49
             Socket aborts:          0
             Socket errors:          0
           Socket Timeouts:          0
   Failed Connect Attempts:          0
        Total Packets Sent:          0
        Total Packets Recv:          0


I have heard of there having been bugs on otther code versions but not this one. Has anyone come across this issue and any workarounds?

Any quick response will be appreciated.



11 Replies 11



Please share:

debug aaa authentication

debug aaa authorization

debug tacacs+



hmm, not sure about running debug commands around here, is there another way to be trying while I see about clearance to run those commands?

Make sure,


1) Proper source interface is defined for tacacs

2) Check tacacs key on both ends

3) Check for any firewall blocking port 49.

4) Rule out any layer3/4 issues.






Do rate helpful posts

How do you configure the source interface? I don't think it is taking the command for me.

It seems your request is timing out.  Define source interface,

ip tacacs source-interface

To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration mode. To disable use of the specified interface IP address, use the no form of this command.

ip tacacs source-interface interface-name

no ip tacacs source-interface





Do rate helpful posts



I configured the source interface, i'm still getting 'access denied'. This is the same tacacs server working for other switches across the network.

Does the server need to be configured to accept tacacs traffic from this switch? I don't think it configured that way for the other switches.

JG is right, your requests are timing out.

Yes, the server needs to be configured to accept tacacs + traffic from this switch.

Especially after configuring source interface, that interface/IP should be configured on the server.

Without this all your other devices would not be working.

Unless, you have an allow all devices exception on the server.


I will check whether or not the server is configured to allow and will update.

JG I have attached some of the output you asked for. but first off the block, I noticed this in my aaa output rem_addr='x.191.0.25'. now that is not my tacacs server ip address.. does that mean anything? 


I implemented some of these recomendations and together with some upsteam firewall changes, aaa is working perfectly.

Thank you all for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers