02-28-2011 04:38 PM - edited 03-10-2019 05:52 PM
Hi team,
I found that TACACS should be available for network access with ACS 5.2:
CSCte16911 | ACS 5 did not support the PPP TACACS service type for authentication. |
But when I'm trying to create Rule tu allow PPP authentication against TACACS server I get error...
As you can see - there are 36 hitcounts with the policy
And there is only one default rule at the moment:
in the logs I see only errors... ussername and password of course verified troughly:
Are there any ideas? Don't want to change all the configs for remote access devices to RADIUS.
03-16-2011 08:42 PM
Hi,
Looking at the output you provided I can see a service selection rule being matched, but not proceeding to an Identity store,
Under the identity section of the "TACACS Network Access" acces service, what identity policy rules do you have configured? Which identity store do you plan to authenticate your users from?
Thanks,
Steve.
03-21-2011 04:16 AM
I am having the exact same problem utilising TACACS+ / CHAP through ACS 5.2.
Using the older version 4.2 it works without issue.
During troubleshooting the problem we discovered that if we cahnge the router to use PAP and not CHAP the authentication works fine and passes information via the identity store. Changing it back to CHAP breaks the connection andw e are unable to authorise a user, complains about being in the wrong domain.
Still do not have a solution, other than move to PAP which is obviously less secure.
It is potentially an issue with CHAP and TACACS not working properly together on ACS 5.2, all documentation discusses RADIUS / CHAP.
Look forward to any other information / assistance any has to offer.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: