Re: Authentication via TACACS issue - Page 2

CiscoBrownBelt · ‎02-23-2018

I re-ip sub-interface g0/0.1 from let's say 192.168.0.1 to 10.10.10.1. Now device no longer authenticates to TACACs and it did with no issues before. Server IS STILL pingable. Any help? See applicable configs below.

aaa new-model
aaa authentication login default group tacacs+ local line enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

ip tacacs source-interface g0/2

ip tacacs server host 192.168.0.50

ip tacacs-server key 7 XXXXXXXXX

CiscoBrownBelt · ‎02-28-2018

Sorry disregard my IM.
Traceroute from the connecting router is good.
The following commands that are currently on the router that is not able to authenticate is good correct:
ip tacacs source-interface g0/2

ip tacacs server host 192.168.0.50

ip tacacs-server key 7 XXXXXXXXX

Georg Pauwen · ‎02-28-2018

Hello,

try and delete the entire TACACS configuration from your device (including no aaa new-model), reload the device, and re-enter everything.

Richard Burts · ‎02-28-2018

Am I understanding correctly that traceroute to the tacacs server from this router gets a response from the next hop router but no responses beyond that and that traceroute to the tacacs server from the next hop router is successful? That would be pretty odd and perhaps suggests that there is some security policy on the next hop router that is impacting connectivity.

Could you clarify what the network topology is between this router and the tacacs server. If the tacacs server is 192.168.0.50 and if the interface that you changed was 192168.0.1 then it seems that the tacacs server was in the local subnet. But with the interface change that would no longer be true. What is the topology and the network path now?

HTH

Rick

HTH

Rick