Hi Smitesh,

Thanks for reply. You can see the output about socket errors

switcho02#show tacacs

Tacacs+ Server     : 10.52.0.158/49

Socket opens:      4

Socket closes:     4

Socket aborts:     0

Socket errors:      4

Everything is fine if I try to use same test with same username and TACACS server on other switch (please see in attach)

Are you able to ping server from switch ??

Regards,

Smitesh

yes. I'm able to ping server from switch.

I find it interesting and probably significant in the original post that the error is authorization failed and not that authentication failed.

switch02#test aaa group tacacs+ btela77 Aug2011b legacy

% Authorization failed.

If the TACACS server got to authorization then it implies that it authenticated ok and then had a problem with authorization.

My first guess is that there is some config difference between the switch that does work and the switch tat does not work. Can you post the AAA configuration of both switches?

If it is not a config difference in the switches then my second guess is that there is some difference on the TACACS server about how the 2 switches are configured. Can you check the TACACS server configuration for both switches?

HTH

Rick

Hi Rick,

Thanks for your idea. I need to separate the issue between switch and server so i prove switch first. About configuration, no different after compared. I uploaded the both switches configuration please help to verify once again. BTW, can you advice me about debug command that could help to clarify more about issue. I knew about debug 3 cmds

debug aaa authentication

debug aaa authorization

debug tacacs

I have looked at the configs that you posted and I do not see any config difference that would explain this symptom.

Can you check the TACACS server and verify its configuration of both switches is the same?

The switch name in your original post is different from the switch names in either of the config files that you posted. Can you explain this difference?

Are you sure that it was exactly the same user name that you used in testing on both switches?

HTH

Rick

Yes i use the same username for testing on both switches. You can see the different output from both switches if you show tacacs. The socket error shown when i test aaa on issue switch but not see on the other switch

Hi Rick,

The output from debug shown as below

Oct 20 06:26:16.889 GMT: TAC+: decrypt: pak is unencrypted but we have a key

Oct 20 06:26:16.889 GMT: TPLUS(0000005B): Decryption failed for AAA request

Oct 20 06:26:16.889 GMT: TPLUS(0000005B)/0/5F9E820: Processing the reply packet

Oct 20 06:26:16.889 GMT: TPLUS: Received Authen status error

Oct 20 06:26:16.897 GMT: TPLUS(0000005B)/0/REQ_WAIT/5F9E820: timed out

Oct 20 06:26:22.350 GMT: TPLUS(0000005B)/0/READ: read entire 18 bytes response

Oct 20 06:26:22.350 GMT: TAC+: decrypt: pak is unencrypted but we have a key

Oct 20 06:26:22.350 GMT: TPLUS(0000005B): Decryption failed for AAA request

Oct 20 06:26:22.350 GMT: TPLUS(0000005B)/0/5AAF32C: Processing the reply packet

Oct 20 06:26:22.350 GMT: TPLUS: received authorization response for 91: FAIL

Oct 20 06:26:22.350 GMT: AAA/AUTHOR/EXEC(0000005B): Authorization FAILED

The cause of error could be share-key mismatch between switch and TACACS server?

Full debug output in attach. Thanks

Incorrect configuration on TACACS. Thanks for help

I am glad that my suggestions pointed you toward the solution. I am glad that you got it worked out. Thank you for using the rating system to mark this question as answered (and thanks for the points). It makes the forum more useful when people can read about an issue and can know that a solution was found. Your marking has contributed to this process.

HTH

Rick